Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-49800

Do not allow templates in sub folders.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.9
    • Fix Version/s: 2.9
    • Component/s: JavaScript, Themes
    • Labels:
    • Testing Instructions:
      Hide
      1. Create the file empty_page.php using the following:

        <?php
        require_once('config.php');
        $PAGE->set_context(context_system::instance());
        $PAGE->set_url('/empty_page.php');
        $PAGE->set_heading('Empty page');
        $PAGE->set_pagelayout('admin');
        echo $OUTPUT->header();
        echo $OUTPUT->render_from_template('core/notification_problem', array('message' => 'Notification displayed'));
        // echo $OUTPUT->render_from_template('core/output/notification_problem', array('message' => 'Notification that should NOT be displayed'));
        echo $OUTPUT->footer();
        

      2. Copy lib/templates/notification_problem.mustache to lib/templates/output/notification_problem.mustache
      3. Access that page, and confirm that the first notification is displayed
      4. Uncomment the notification that was commented, and comment the other one
      5. Refresh the page, and confirm that an exception is raised because the file is in a subdirectory

      If time allows, that'd be good to test again on a Windows server

      Show
      Create the file empty_page.php using the following: <?php require_once('config.php'); $PAGE->set_context(context_system::instance()); $PAGE->set_url('/empty_page.php'); $PAGE->set_heading('Empty page'); $PAGE->set_pagelayout('admin'); echo $OUTPUT->header(); echo $OUTPUT->render_from_template('core/notification_problem', array('message' => 'Notification displayed')); // echo $OUTPUT->render_from_template('core/output/notification_problem', array('message' => 'Notification that should NOT be displayed')); echo $OUTPUT->footer(); Copy lib/templates/notification_problem.mustache to lib/templates/output/notification_problem.mustache Access that page, and confirm that the first notification is displayed Uncomment the notification that was commented, and comment the other one Refresh the page, and confirm that an exception is raised because the file is in a subdirectory If time allows, that'd be good to test again on a Windows server
    • Affected Branches:
      MOODLE_29_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Epic Link:
    • Pull from Repository:
    • Pull Master Branch:
      MDL-49800-master
    • Sprint:
      Team '; drop tables Sprint 6

      Description

      Currently this accidentally works for templates rendered in php - but does not work for javascript templates, or the template library tool. It is not a good idea because:

      • Nested template folders make it harder for a themer to work out where to put their overridden template
      • Path issues on different OS
      • Security issues (core/../../../../../../../passwd) (This is not a real issue, just and example).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              fred Frédéric Massart
              Reporter:
              damyon Damyon Wiese
              Peer reviewer:
              Simey Lameze
              Integrator:
              Dan Poltawski
              Tester:
              Adrian Greeve
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Bas Brands
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/May/15