-
Bug
-
Resolution: Fixed
-
Minor
-
3.0.4, 3.1.1, 3.2
-
MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
-
MOODLE_30_STABLE, MOODLE_31_STABLE
-
MDL-55724-master -
The trusttest_strip_text function causes an infinite loop if its parameter is not a string (e.g. an array). This has two bad effects:
1. The infinite loop occupies a server CPU until the request hits PHP time limit
2. If warnings are enabled, a PHP warning (because of using strcmp on an array) will be output to the server log a large number of times, causing it to balloon in size and potentially fill storage.
As you can see this is quite bad.
I haven't found a way for students to trigger the error, but it is currently possible (and happened on our system) to trigger this error by importing an invalid glossary XML.
Marking 'could be a security issue' as this is an easy way to trigger a server DOS, but it's generally only open to staff, so probably not a big deal. Feel free to un-mark as security issue if appropriate!
We reproduced this on 3.0.4 but it probably applies to all previous Moodle versions back to the time when dinosaurs walked the earth. Edit - I checked and it's from 2006. That's about when stegosaurus was around, right?
- is duplicated by
-
MDL-55549 Incorrectly formatted text in XML causes Glossary Import infinite loop
- Closed