[MDL-69431] Validate the 'section' argument passed into /course/modedit.php - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.9.2, 3.10
Fix Version/s: 3.9.4, 3.10.1
Component/s: Course
Labels:
- triaged

Testing Instructions:
Hide

go into any course as teacher

Click add an activity or resource

Pick anything e.g. page

In the URL, change the section argument to an unusually high value e.g. /course/modedit.php?add=page&type=&course=2&section=4000&return=0&sr=0

Press return so that you the page is now using the new URL param

Complete the form (page title etc)

Submit

Confirm the form will not load and you will get a message like "Cannot create new section as it would exceed the maximum number of sections allowed for this course (52)."
Show
go into any course as teacher Click add an activity or resource Pick anything e.g. page In the URL, change the section argument to an unusually high value e.g. /course/modedit.php?add=page&type=&course=2&section=4000&return=0&sr=0 Press return so that you the page is now using the new URL param Complete the form (page title etc) Submit Confirm the form will not load and you will get a message like " Cannot create new section as it would exceed the maximum number of sections allowed for this course (52). "
Affected Branches:
MOODLE_310_STABLE, MOODLE_39_STABLE
Fixed Branches:
MOODLE_310_STABLE, MOODLE_39_STABLE
Pull from Repository:
git://github.com/watson8/moodle.git
Pull 3.9 Branch:
~~MDL-69431~~_Validate_section_arg_modedit
Pull 3.9 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_39_STABLE...watson8:MDL-69431_Validate_section_arg_modedit
Pull 3.10 Branch:
~~MDL-69431~~_Moodle_310_Validate_section_arg_modedit
Pull 3.10 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_310_STABLE...watson8:MDL-69431_Moodle_310_Validate_section_arg_modedit
Pull Master Branch:
~~MDL-69431~~-master
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...watson8:MDL-69431-master

Description

When a user adds a new course module to a course using mod chooser, the URL to create the new cm looks like this (in this case adding a book to section 1):

/course/modedit.php?add=book&type=&course=8&section=1&return=0&sr=0

The 'section' argument here is expected to be a section number (e.g. the 3rd topic in the course is section number 3) and not a section id (i.e. the id of the section in the course_sections table which could be a very high value).

At present we do not validate whatever is passed in. So, if the URL includes a very high value (let's say a section id is passed in of 10000, instead of a section number 1) we get undesirable behaviour / create lots of empty sections in course.

To avoid this we can check whatever is passed in against the course format's get_max_sections() value, and reject any value exceeding it.

It's a minor security issue in that, without the fix, it seems users are given a route to add new sections in excess of the limits provided.

Proposed fix attached

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

image-2021-01-13-12-03-25-511.png
13 kB
13/Jan/21 12:03 PM

Activity

People

Assignee:: David Watson

Reporter:: David Watson

Peer reviewer:: Ilya Tregubov

Integrator:: Jake Dallimore

Tester:: Janelle Barcega

Participants:: Amaia Anabitarte, Carlos Escobedo, CiBoT, David Watson, Eloy Lafuente (stronk7), Ilya Tregubov, Jake Dallimore, Janelle Barcega, Tim Hunt

Component watchers:: Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 07/Aug/20 8:37 PM

Updated:: 19/Jan/21 8:55 PM

Resolved:: 15/Jan/21 4:04 PM

Fix Release Date:: 18/Jan/21

Time Tracking

Estimated:

Remaining:

Logged:

56m