Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71167

Replace relative URLs blocked by core Apache ModSecurity rule

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.9.5, 3.11
    • Fix Version/s: 3.11
    • Component/s: SCORM
    • Labels:
    • Testing Instructions:
      Hide

      Test single Activity course.

      1. Create a new course with settings:
        • Name and shortname: Whatever you want.
        • Course Format > Format > Single activity format
        • Course Format > Type of activity > SCORM package
        • Click 'Save and display'
      2. You should now see the SCORM activity editing page - add a valid SCORM package such as https://github.com/moodle/moodle/raw/master/mod/scorm/tests/packages/singlescobasic.zip
      3. Save and display
      4. You should be redirected correctly to the url:  /mod/scorm/view.php?id=#

      Test normal course behaviour - save and return.

      1. Create a new course with default settings (topics or weekly format)
      2. 'Save and return'.
      3. Once inside the course, 'Turn editing on' and 'Add an activity or resource' to a topic
      4. Select 'SCORM package' and upload a valid scorm package such as:
        https://github.com/moodle/moodle/raw/master/mod/scorm/tests/packages/singlescobasic.zip:
      5. Press 'Save and return to course'
      6. Make sure you are redirected to the course page url /course/view.php?id=#

      Test normal course behaviour - save and display

      1. Create a new course with default settings (topics or weekly format)
      2. 'Save and return'.
      3. Once inside the course, 'Turn editing on' and 'Add an activity or resource' to a topic
      4. Select 'SCORM package' and upload a valid scorm package such as:
        https://github.com/moodle/moodle/raw/master/mod/scorm/tests/packages/singlescobasic.zip:
      5. Press 'Save and display'
      6. Make sure you have been redirected to the SCORM Activity url: /mod/scorm/view.php?id=#
      Show
      Test single Activity course. Create a new course with settings: Name and shortname: Whatever you want. Course Format > Format > Single activity format Course Format > Type of activity > SCORM package Click 'Save and display' You should now see the SCORM activity editing page - add a valid SCORM package such as https://github.com/moodle/moodle/raw/master/mod/scorm/tests/packages/singlescobasic.zip Save and display You should be redirected correctly to the url:  /mod/scorm/view.php?id=# Test normal course behaviour - save and return. Create a new course with default settings (topics or weekly format) 'Save and return'. Once inside the course, 'Turn editing on' and 'Add an activity or resource' to a topic Select 'SCORM package' and upload a valid scorm package such as: https://github.com/moodle/moodle/raw/master/mod/scorm/tests/packages/singlescobasic.zip : Press 'Save and return to course' Make sure you are redirected to the course page url /course/view.php?id=# Test normal course behaviour - save and display Create a new course with default settings (topics or weekly format) 'Save and return'. Once inside the course, 'Turn editing on' and 'Add an activity or resource' to a topic Select 'SCORM package' and upload a valid scorm package such as: https://github.com/moodle/moodle/raw/master/mod/scorm/tests/packages/singlescobasic.zip : Press 'Save and display' Make sure you have been redirected to the SCORM Activity url: /mod/scorm/view.php?id=#
    • Affected Branches:
      MOODLE_311_STABLE, MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_311_STABLE
    • Pull Master Branch:
      master

      Description

      Use of the ModSecurity Apache module can block the ability to save the edited settings of a SCORM activity. Specifically, use of a relative URL within the submitted form data can be flagged as a 'Path Traversal Attack (/../)'. This is problematic for those who use Moodle under hosting plans which don't allow full control of the ModSecurity configuration.

      The affected file is mod/scorm/mod_form.php lines 316 and 319, which use relative URLs for the 'redirecturl' argument, rather than making use of $CFG->wwwroot. 

        Attachments

        1. MDL-71167.png
          MDL-71167.png
          76 kB
        2. patch.txt
          1 kB

          Activity

            People

            Assignee:
            paulphillips Paul Phillips
            Reporter:
            paulphillips Paul Phillips
            Peer reviewer:
            Dan Marsden
            Integrator:
            Jake Dallimore
            Tester:
            Gladys Basiana
            Participants:
            Component watchers:
            Damyon Wiese, Dan Marsden, Matteo Scaramuccia, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              17/May/21

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 20 minutes
                1h 20m