Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55724

Infinite loop in trusttest_strip_text

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.4, 3.1.1, 3.2
    • Fix Version/s: 3.0.6, 3.1.2
    • Component/s: General, Glossary
    • Labels:
    • Testing Instructions:
      Hide

      WARNING - THIS TEST MAY KILL YOUR BROWSER (and will also eat server CPU for a bit) if you run it before the issue is fixed.

      1. On a test course, create a new glossary. Type a name but otherwise use default settings.
      2. Go to 'Import glossary entries'
      3. Upload attached evil_glossary.xml (leave other options default)
      4. Submit the form

      EXPECTED: You should get an error message
      BEFORE FIX: There is an infinite loop, so no response from server. If you have debugging enabled, a very large number of PHP notices will appear in your browser or error logs.

      Show
      WARNING - THIS TEST MAY KILL YOUR BROWSER (and will also eat server CPU for a bit) if you run it before the issue is fixed. 1. On a test course, create a new glossary. Type a name but otherwise use default settings. 2. Go to 'Import glossary entries' 3. Upload attached evil_glossary.xml (leave other options default) 4. Submit the form EXPECTED: You should get an error message BEFORE FIX: There is an infinite loop, so no response from server. If you have debugging enabled, a very large number of PHP notices will appear in your browser or error logs.
    • Affected Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE
    • Pull Master Branch:
      MDL-55724-master

      Description

      The trusttest_strip_text function causes an infinite loop if its parameter is not a string (e.g. an array). This has two bad effects:

      1. The infinite loop occupies a server CPU until the request hits PHP time limit
      2. If warnings are enabled, a PHP warning (because of using strcmp on an array) will be output to the server log a large number of times, causing it to balloon in size and potentially fill storage.

      As you can see this is quite bad.

      I haven't found a way for students to trigger the error, but it is currently possible (and happened on our system) to trigger this error by importing an invalid glossary XML.

      Marking 'could be a security issue' as this is an easy way to trigger a server DOS, but it's generally only open to staff, so probably not a big deal. Feel free to un-mark as security issue if appropriate!

      We reproduced this on 3.0.4 but it probably applies to all previous Moodle versions back to the time when dinosaurs walked the earth. Edit - I checked and it's from 2006. That's about when stegosaurus was around, right?

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  12/Sep/16