Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 3.9.2, 3.10
-
Component/s: Course
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_310_STABLE, MOODLE_39_STABLE
-
Fixed Branches:MOODLE_310_STABLE, MOODLE_39_STABLE
-
Pull from Repository:
-
Pull 3.8 Branch:
MDL-69431_Moodle_38_Validate_section_arg_modedit -
Pull 3.9 Branch:
MDL-69431_Validate_section_arg_modedit -
Pull 3.10 Branch:
MDL-69431_Moodle_310_Validate_section_arg_modedit -
Pull Master Branch:
MDL-69431-master -
Pull Master Diff URL:
Description
When a user adds a new course module to a course using mod chooser, the URL to create the new cm looks like this (in this case adding a book to section 1):
/course/modedit.php?add=book&type=&course=8§ion=1&return=0&sr=0
The 'section' argument here is expected to be a section number (e.g. the 3rd topic in the course is section number 3) and not a section id (i.e. the id of the section in the course_sections table which could be a very high value).
At present we do not validate whatever is passed in. So, if the URL includes a very high value (let's say a section id is passed in of 10000, instead of a section number 1) we get undesirable behaviour / create lots of empty sections in course.
To avoid this we can check whatever is passed in against the course format's get_max_sections() value, and reject any value exceeding it.
It's a minor security issue in that, without the fix, it seems users are given a route to add new sections in excess of the limits provided.
Proposed fix attached
