Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55178

TeX filter allows unauthenticated generated image viewing

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.9.7, 3.1.1
    • Fix Version/s: None
    • Component/s: Filters, Maths filters
    • Labels:
      None
    • Workaround:
      Hide

      Use Mathjax filter instead of TeX.

      Show
      Use Mathjax filter instead of TeX.
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_31_STABLE

      Description

      Full Steps:
      1) Access Moodle, enable TeX filter.
      2) Enter some valid LaTeX into Moodle
      3) Note URL for generated LaTeX in page (using developer tools or similar)
      4) Logout of Moodle
      5) Access above URL, LaTeX is returned without being authenticated.

      What I expected:
      That accessing the generated LaTeX would be unsuccessful due to be unauthenticated.

      What actually happened:
      LaTeX image was returned to the browser while unauthenticated.

      It could be possible to generate random strings that match an MD5 sum and retrieve some (or given enough time, all) of the generated .GIF files stored in moodledata/filter/tex/*

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            james.mclean James McLean
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: