[MDL-69910] A way to infer if a username exists even if $CFG->protectusernames is set - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.10
Fix Version/s: 3.8.6, 3.9.3
Component/s: Calendar
Labels:
- CatalystIT
- ci
- partner
- security_benefit
- triaged

Testing Instructions:

Hide

1) Locate any valid user, eg the admin user and grab its id, eg 2

2) Construct 2 urls with another existing and unrelated username, and one with a non existant username:

/calendar/export_execute.php?authtoken=x&userid=2&username=brendan
/calendar/export_execute.php?authtoken=x&userid=2&username=brendancrap

3) Confirm both should result in the exact same output:

Invalid authentication

Show
1) Locate any valid user, eg the admin user and grab its id, eg 2 2) Construct 2 urls with another existing and unrelated username, and one with a non existant username: /calendar/export_execute.php?authtoken=x&userid=2&username=brendan /calendar/export_execute.php?authtoken=x&userid=2&username=brendancrap 3) Confirm both should result in the exact same output: Invalid authentication
Affected Branches:
MOODLE_310_STABLE
Fixed Branches:
MOODLE_38_STABLE, MOODLE_39_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull 3.5 Branch:
~~MDL-69910~~-calendar-protectusername-MOODLE_35_STABLE
Pull 3.5 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_35_STABLE...brendanheywood:MDL-69910-calendar-protectusername-MOODLE_35_STABLE
Pull 3.8 Branch:
~~MDL-69910~~-calendar-protectusername-MOODLE_38_STABLE
Pull 3.8 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_38_STABLE...brendanheywood:MDL-69910-calendar-protectusername-MOODLE_38_STABLE
Pull 3.9 Branch:
~~MDL-69910~~-calendar-protectusername-MOODLE_39_STABLE
Pull 3.9 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_39_STABLE...brendanheywood:MDL-69910-calendar-protectusername-MOODLE_39_STABLE
Pull 3.10 Branch:
~~MDL-69910~~-calendar-protectusername-MOODLE_310_STABLE
Pull 3.10 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_310_STABLE...brendanheywood:MDL-69910-calendar-protectusername-MOODLE_310_STABLE
Pull Master Branch:
~~MDL-69910~~-calendar-protectusername
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...brendanheywood:MDL-69910-calendar-protectusername

Description

Since ~~MDL-68845~~ in 3.10 you can now determine if an account exists even if $CFG->protectusernames is set.

All you need is the valid user id of any unrelated account, it doesn't matter which, and almost all sites have an admin account with id = 2 which is enough, then compare a valid account and invalid account:

http://moodle.local/calendar/export_execute.php?authtoken=x&userid=2&username=brendan

Invalid authentication

http://moodle.local/calendar/export_execute.php?authtoken=x&userid=2&username=brendancrap

Exception - Argument 1 passed to calendar_get_export_token() must be an instance of stdClass, boolean given, called in [dirroot]/calendar/export_execute.php on line 29

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

MDL-69910.jpg
12/Oct/20 2:32 PM
19 kB
Anna Carissa Sadia
MDL-69910-calendar-protectusername.patch
10/Oct/20 4:32 PM
0.7 kB
Brendan Heywood

Issue Links

is a regression caused by

MDL-68845 Create new Web Service for retrieving the user calendar via iCal

Closed

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Peer reviewer:: Juan Leyva

Integrator:: Jake Dallimore

Tester:: Anna Carissa Sadia

Participants:: Anna Carissa Sadia, Brendan Heywood, CiBoT, exe, Jake Dallimore, Juan Leyva, Sara Arjona (@sarjona)

Component watchers:: Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 10/Oct/20 4:23 PM

Updated:: 09/Nov/20 5:42 PM

Resolved:: 13/Oct/20 8:15 PM

Fix Release Date:: 9/Nov/20

Time Tracking

Estimated:

Remaining:

Logged:

1h 50m