[MDL-55178] TeX filter allows unauthenticated generated image viewing - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Won't Fix
Affects Version/s: 2.9.7, 3.1.1
Fix Version/s: None
Component/s: Filters, Maths filters
Labels:
None

Affected Branches:
MOODLE_29_STABLE, MOODLE_31_STABLE
Workaround:

Hide

Use Mathjax filter instead of TeX.

Show
Use Mathjax filter instead of TeX.

Description

Full Steps:
1) Access Moodle, enable TeX filter.
2) Enter some valid LaTeX into Moodle
3) Note URL for generated LaTeX in page (using developer tools or similar)
4) Logout of Moodle
5) Access above URL, LaTeX is returned without being authenticated.

What I expected:
That accessing the generated LaTeX would be unsuccessful due to be unauthenticated.

What actually happened:
LaTeX image was returned to the browser while unauthenticated.

It could be possible to generate random strings that match an MD5 sum and retrieve some (or given enough time, all) of the generated .GIF files stored in moodledata/filter/tex/*

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: James McLean

Participants:: Frédéric Massart, James McLean

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Jul/16 10:33 PM

Updated:: 15/Jul/16 4:19 PM

Resolved:: 15/Jul/16 4:19 PM