Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53913

Problematic new function Expected Parameters for some user function fill_properties_cache()

    XMLWordPrintable

    Details

    • Database:
      PostgreSQL
    • Testing Instructions:
      Hide
      Pre-requisites

      *This should be tested on 3.0 to 2.7.

      1. Create a new table in MySQL or PostgresSQL or duplicate and rename the user table.
      2. Add some invalid data in the fields:
        Field Value
        firstname Stan <script>alert('hello')</script>
        lastname Marsh <script>alert('hello')</script>
        mnethostid 123465
      3. Feel free to add more invalid data to test other fields sanitizing.
      Testing
      1. Enable external database authentication.
        1. Site administration ► Plugins ► Authentication ► External database
        2. Type the address of your database host (e.g. localhost)
        3. Select the database type, type the name of the database and the name of the table
        4. Fill in the database username and password
        5. Write the names of your username and password fields
        6. Map the custom fields you've created. Eg. First name -> First name. Be sure to set "Update local" to "On every login".
      2. Run php auth/db/cli/sync_users.php
      3. Ensure all users in the db are created with correct details and the malicious code were sanitized. (<script> tags)
        • The mnethostid should not be changed.
      4. On your external database update the user data of a the user removing the xss from that user.
      5. Run php auth/db/cli/sync_users.php again and make sure the user data were updated on your moodle instance.
      6. Try to tweak other users and fields, making sure the data on the external database matches the information on your moodle instance.
      Run unit tests and make sure it pass:
      1. vendor/bin/phpunit auth/db/tests/db_test.php
      Show
      Pre-requisites *This should be tested on 3.0 to 2.7. Create a new table in MySQL or PostgresSQL or duplicate and rename the user table. Add some invalid data in the fields: Field Value firstname Stan <script>alert('hello')</script> lastname Marsh <script>alert('hello')</script> mnethostid 123465 Feel free to add more invalid data to test other fields sanitizing. Testing Enable external database authentication. Site administration ► Plugins ► Authentication ► External database Type the address of your database host (e.g. localhost) Select the database type, type the name of the database and the name of the table Fill in the database username and password Write the names of your username and password fields Map the custom fields you've created. Eg. First name -> First name. Be sure to set "Update local" to "On every login". Run php auth/db/cli/sync_users.php Ensure all users in the db are created with correct details and the malicious code were sanitized. (<script> tags) The mnethostid should not be changed. On your external database update the user data of a the user removing the xss from that user. Run php auth/db/cli/sync_users.php again and make sure the user data were updated on your moodle instance. Try to tweak other users and fields, making sure the data on the external database matches the information on your moodle instance. Run unit tests and make sure it pass: vendor/bin/phpunit auth/db/tests/db_test.php
    • Affected Branches:
      MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE
    • Pull from Repository:

      Description

      External Database enrollment overwrites mnethostid value as it appears as if the expected parameter is param_boolean. This value however should be numeric.

      My user object included an mnethostid of 4 but is replaced by 1 -> INCORRECT.

      There may be a number of other fields which may not be valid.

      I would likely use

      PARAM_INT

      To attempt, create a new user with a mnethost other than 0 or 1.

      auth/db.auth.php -> clean_data function calls
      /lib/classes/user.php get_property_definition calls
      /lib/classes/user.php fill_properties_cache

      A number of parameter types are incorrect causing the replacement for example of the menthostid value passed by the function.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  9/May/16