Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69282

Calendar allows to import from itself

    XMLWordPrintable

Details

    • Bug
    • Status: Reopened
    • Major
    • Resolution: Unresolved
    • 3.8.4, 3.9.1, 3.9.6, 3.10.3, 3.10.4, 3.11, 4.0
    • None
    • Calendar
    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • MDL-69282_311
    • MDL-69282_master
    • Easy
    • Hide

       

      Testing Scenario: Input exported Moodle calendar URL itself

      1. Login as admin or other user
      2. Navigate to "Calendar / Export"
      3. Choose "All events" in "Events to export"
      4. Choose "This week" in "Time period"
      5. Click on "Get calendar URL"
      6. Copy the "Calendar URL" containing your FQDN (e.g. http://localhost/calendar/export_execute.php?userid=X&authtoken=X&preset_what=all&preset_time=weeknow)
      7. Navigate to "Calendar / Manage subscriptions"
      8. Fill out the "Calendar name" as "Test"
      9. Fill out the "Calendar URL" with the previous copied "Calendar URL" from step 6.
      10. Click on "Add"

      Expected result (with patch):
      The URL is itself a Moodle calendar export (Attention: Loop!). Therefore, it should display an "The given URL blocked." error message before processing the calendar import.

      Actual result:
      The URL will be processed and afterwards it will recreate the same calendar events depending on the "Update interval" setting.

      Attention:

      Testing on "localhost" the URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. So the actual result which I mentioned before is reproducible on a productive platform.

      Show
        Testing Scenario: Input exported Moodle calendar URL itself Login as admin or other user Navigate to "Calendar / Export" Choose "All events" in "Events to export" Choose "This week" in "Time period" Click on "Get calendar URL" Copy the "Calendar URL" containing your FQDN (e.g. http://localhost/calendar/export_execute.php?userid=X&authtoken=X&preset_what=all&preset_time=weeknow ) Navigate to "Calendar / Manage subscriptions" Fill out the "Calendar name" as "Test" Fill out the "Calendar URL" with the previous copied "Calendar URL" from step 6. Click on "Add" Expected result (with patch): The URL is itself a Moodle calendar export (Attention: Loop!). Therefore, it should display an "The given URL blocked." error message before processing the calendar import. Actual result: The URL will be processed and afterwards it will recreate the same calendar events depending on the "Update interval" setting. Attention: Testing on "localhost" the URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. So the actual result which I mentioned before is reproducible on a productive platform.

    Description

      We've encountered by chance, that some students have subscribed their own Moodle calendar in Moodle itself. It was resulting in more than 1000 times the same calendar entry for this particular user. As it was hourly importing the Moodle calendar itself in Moodle.

      I think this is a missing part in the validation and should not be permitted. Further I've noticed that you can input just a "word" as URL and it will not lead to an error in this form validation. And it also doesn't checkes the blocked hosts defined in the HTTP security settings of Moodle.

      This part should be covered as well.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-77477 User calendar does not check for self-referencing imports into itself

          • Minor - Minor loss of function where workaround is possible
          • Closed
          will be (partly) resolved by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-71789 Add mform validation for invalid url when importing a calendar

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              Unassigned Unassigned
              pead Adrian Perez
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              6 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours, 14 minutes
                  3h 14m