Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48753

badges_get_user_badges uses concatenation to form an SQL statement

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.6.6, 2.7.3, 2.8.2, 2.9
    • Fix Version/s: 2.7.5, 2.8.3
    • Component/s: Badges
    • Labels:
    • Testing Instructions:
      Hide
      1. Run unit tests on `vendor/bin/phpunit core_badges_badgeslib_testcase badges/tests/badgeslib_test.php`
      2. Run behat tests on @core_badges (thanks Yuliya for already covering this)
      1. Create a badge
      2. Issue it to a user
      3. Log in as that user and browse to your profile
      4. Check you see the badge.
      Show
      Run unit tests on `vendor/bin/phpunit core_badges_badgeslib_testcase badges/tests/badgeslib_test.php` Run behat tests on @core_badges (thanks Yuliya for already covering this) Create a badge Issue it to a user Log in as that user and browse to your profile Check you see the badge.
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE, MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-48753_master

      Description

      The function badges_get_user_badges in lib/badgeslib.php is using concatenation to form part of an SQL statement.
      While all current core uses are safely handing the concatenated param it could potentially be exploited if the calling code was sloppy.
      This is a pretty minor issue at this point, however one that really should be addressed.

        Attachments

          Activity

            People

            Assignee:
            samhemelryk Sam Hemelryk
            Reporter:
            samhemelryk Sam Hemelryk
            Peer reviewer:
            Mark Nelson
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Rajesh Taneja
            Participants:
            Component watchers:
            Yuliya Bozhko, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              2/Feb/15