Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69282

Calendar allows to import from itself and/or from blocked hosts

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Waiting for peer review
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.8.4, 3.9.1, 3.9.6, 3.10.3, 3.11, 4.0
    • Fix Version/s: None
    • Component/s: Calendar
    • Labels:
    • Testing Instructions:
      Hide

      Testing Scenario 1: Input invalid calendar URL

      1. Login as admin or other user
      2. Navigate to "Calendar / Manage subscriptions"
      3. Fill out the "Calendar name" as "Test"
      4. Choose "Calendar URL" in "Import from" 
      5. Fill out the "Calendar URL" as "test"
      6. Click on "Add"

      Expected result (with patch):
      The URL is invalid. Therefore, it should display an "Invalid URL" error message before processing the calendar import.

      Actual result:
      The URL will be processed and after some seconds it throws a  "The given iCal URL is invalid." exception.

      Testing Scenario 2: Input blocked calendar URL

      1. Login as admin
      2. Navigate to "Site administration / Security / HTTP security"
      3. Add following line value "calendar.google.com" to "curlsecurityblockedhosts"
      4. Click on "Save changes"
      5. Navigate to "Calendar / Manage subscriptions"
      6. Fill out the "Calendar name" as "Test"
      7. Choose "Calendar URL" in "Import from" 
      8. Fill out the "Calendar URL" as "https://calendar.google.com/calendar/ical/moodle.com_p4c2oe7hsb77ltaro5qtihb5d4@group.calendar.google.com/public/basic.ics"
      9. Click on "Add"

      Expected result (with patch):
      The URL is blocked. Therefore, it should display an "The URL is blocked" error message before processing the calendar import.

      Actual result:
      The URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. But with no specific information to the user, why it's invalid. Really confusing!

      Testing Scenario 3: Input exported Moodle calendar URL itself

      1. Login as admin or other user
      2. Navigate to "Calendar / Export"
      3. Choose "All events" in "Events to export"
      4. Choose "This week" in "Time period"
      5. Click on "Get calendar URL"
      6. Copy the "Calendar URL" containing your FQDN (e.g. http://localhost:8039/calendar/export_execute.php?userid=X&authtoken=X&preset_what=all&preset_time=weeknow)
      7. Navigate to "Calendar / Manage subscriptions"
      8. Fill out the "Calendar name" as "Test"
      9. Fill out the "Calendar URL" with the previous copied "Calendar URL" from step 6.
      10. Click on "Add"

      Expected result (with patch):
      The URL is itself a Moodle calendar export (Attention: Loop!). Therefore, it should display an "The given URL is not allowed because it is a Moodle export calendar URL." error message before processing the calendar import.

      Actual result:
      The URL will be processed and afterwards it will recreate the same calendar events depending on the "Update interval" setting.
      Attention: Testing on "localhost" the URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. So the actual result which I mentioned before is reproducible on a productive platform.

      Show
      Testing Scenario 1: Input invalid calendar URL Login as admin or other user Navigate to "Calendar / Manage subscriptions" Fill out the "Calendar name" as "Test" Choose "Calendar URL" in "Import from"  Fill out the "Calendar URL" as "test" Click on "Add" Expected result (with patch): The URL is invalid. Therefore, it should display an "Invalid URL" error message before processing the calendar import. Actual result: The URL will be processed and after some seconds it throws a  "The given iCal URL is invalid." exception. Testing Scenario 2: Input blocked calendar URL Login as admin Navigate to "Site administration / Security / HTTP security" Add following line value "calendar.google.com" to "curlsecurityblockedhosts" Click on "Save changes" Navigate to "Calendar / Manage subscriptions" Fill out the "Calendar name" as "Test" Choose "Calendar URL" in "Import from"  Fill out the "Calendar URL" as " https://calendar.google.com/calendar/ical/moodle.com_p4c2oe7hsb77ltaro5qtihb5d4@group.calendar.google.com/public/basic.ics " Click on "Add" Expected result (with patch): The URL is blocked. Therefore, it should display an "The URL is blocked" error message before processing the calendar import. Actual result: The URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. But with no specific information to the user, why it's invalid. Really confusing! Testing Scenario 3: Input exported Moodle calendar URL itself Login as admin or other user Navigate to "Calendar / Export" Choose "All events" in "Events to export" Choose "This week" in "Time period" Click on "Get calendar URL" Copy the "Calendar URL" containing your FQDN (e.g. http://localhost:8039/calendar/export_execute.php?userid=X&authtoken=X&preset_what=all&preset_time=weeknow ) Navigate to "Calendar / Manage subscriptions" Fill out the "Calendar name" as "Test" Fill out the "Calendar URL" with the previous copied "Calendar URL" from step 6. Click on "Add" Expected result (with patch): The URL is itself a Moodle calendar export (Attention: Loop!). Therefore, it should display an "The given URL is not allowed because it is a Moodle export calendar URL." error message before processing the calendar import. Actual result: The URL will be processed and afterwards it will recreate the same calendar events depending on the "Update interval" setting. Attention: Testing on "localhost" the URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. So the actual result which I mentioned before is reproducible on a productive platform.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • Pull from Repository:
    • Pull 3.9 Branch:
    • Pull 3.10 Branch:
      MDL-69282_310
    • Pull Master Branch:
      MDL-69282_master

      Description

      We've encountered by chance, that some students have subscribed their own Moodle calendar in Moodle itself. It was resulting in more than 1000 times the same calendar entry for this particular user. As it was hourly importing the Moodle calendar itself in Moodle.

      I think this is a missing part in the validation and should not be permitted. Further I've noticed that you can input just a "word" as URL and it will not lead to an error in this form validation. And it also doesn't checkes the blocked hosts defined in the HTTP security settings of Moodle.

      This part should be covered as well.

        Attachments

          Activity

            People

            Assignee:
            pead Adrian Perez
            Reporter:
            pead Adrian Perez
            Participants:
            Component watchers:
            Andrew Nicols, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 15 minutes
                1h 15m