Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69282

Calendar allows to import from itself

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 3.8.4, 3.9.1, 3.9.6, 3.10.3, 3.10.4, 3.11, 4.0, 4.1.8, 4.3
    • Calendar
    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_403_STABLE
    • MDL-69282_master
    • Easy
    • Hide

       

      Testing Scenario: Input exported Moodle calendar URL itself

      1. Login as admin or other user
      2. Navigate to "Calendar / Export"
      3. Choose "All events" in "Events to export"
      4. Choose "This week" in "Time period"
      5. Click on "Get calendar URL"
      6. Copy the "Calendar URL" containing your FQDN (e.g. http://localhost/calendar/export_execute.php?userid=X&authtoken=X&preset_what=all&preset_time=weeknow)
      7. Navigate to "Calendar / Manage subscriptions"
      8. Fill out the "Calendar name" as "Test"
      9. Fill out the "Calendar URL" with the previous copied "Calendar URL" from step 6.
      10. Click on "Add"

      Expected result (with patch):
      The URL is itself a Moodle calendar export (Attention: Loop!). Therefore, it should display an "The given URL blocked." error message before processing the calendar import.

      Actual result:
      The URL will be processed and afterwards it will recreate the same calendar events depending on the "Update interval" setting.

      Attention:

      Testing on "localhost" the URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. So the actual result which I mentioned before is reproducible on a productive platform.

      Show
        Testing Scenario: Input exported Moodle calendar URL itself Login as admin or other user Navigate to "Calendar / Export" Choose "All events" in "Events to export" Choose "This week" in "Time period" Click on "Get calendar URL" Copy the "Calendar URL" containing your FQDN (e.g. http://localhost/calendar/export_execute.php?userid=X&authtoken=X&preset_what=all&preset_time=weeknow ) Navigate to "Calendar / Manage subscriptions" Fill out the "Calendar name" as "Test" Fill out the "Calendar URL" with the previous copied "Calendar URL" from step 6. Click on "Add" Expected result (with patch): The URL is itself a Moodle calendar export (Attention: Loop!). Therefore, it should display an "The given URL blocked." error message before processing the calendar import. Actual result: The URL will be processed and afterwards it will recreate the same calendar events depending on the "Update interval" setting. Attention: Testing on "localhost" the URL will be processed and afterwards it throws a  "The given iCal URL is invalid." exception. So the actual result which I mentioned before is reproducible on a productive platform.

      We've encountered by chance, that some students have subscribed their own Moodle calendar in Moodle itself. It was resulting in more than 1000 times the same calendar entry for this particular user. As it was hourly importing the Moodle calendar itself in Moodle.

      I think this is a missing part in the validation and should not be permitted. Further I've noticed that you can input just a "word" as URL and it will not lead to an error in this form validation. And it also doesn't checkes the blocked hosts defined in the HTTP security settings of Moodle.

      This part should be covered as well.

        1. security_result1.png
          22 kB
          Michael Hawkins
        2. security_result2.png
          13 kB
          Michael Hawkins
        3. security_test1_allowed.png
          50 kB
          Michael Hawkins
        4. security_test2_blocked.png
          46 kB
          Michael Hawkins

            Unassigned Unassigned
            pead Adrian Perez
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            17 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 14 minutes
                3h 14m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.