[MDL-73427] $SESSION->fromurl is attempted to be changed during READ_ONLY_SESSION sessions - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.11.4
Fix Version/s: 3.11.5
Component/s: Authentication, Forum, Performance
Labels:
- CatalystIT
- ci
- partner

Affected Branches:
MOODLE_311_STABLE
Fixed Branches:
MOODLE_311_STABLE
Pull from Repository:
https://github.com/cameron1729/moodle.git
Pull 3.11 Branch:
~~MDL-73427~~-311
Pull 3.11 Diff URL:
https://github.com/cameron1729/moodle/compare/3105d5bc9f...MDL-73427-311
Pull Main Branch:
~~MDL-73427~~-master
Pull Main Diff URL:
https://github.com/cameron1729/moodle/compare/541d999d27...MDL-73427-master
Testing Instructions:
1. Check that $SESSION->fromurl is not modified anywhere in the moodle codebase

Description

Error logs:

PHP message: Script /lib/ajax/getnavbranch.php?id=xxx&type=xx defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->fromurl"

Likely root cause is either this:

This exception handling stores stuff in the session:
https://github.com/moodle/moodle/blob/master/lib/setuplib.php#L590-L596

Or this one:
https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L2728-L2731

There is a grand total of 4 touch points in core around this and honestly I can't see much point to any of it. In all cases the value in $SESSION->fromurl will be the same as get_local_referer from the referrer header, so I don't see any value in storing it in the session and it's just more session churn which will mean it is forced to be rewritten each time for no reason (see ~~MDL-69707~~). In any case relying on the referrer header for anything important is bad, eg under some csp setups there is never a referrer header sent.

lib/setuplib.php-589-

lib/setuplib.php-590- if (empty($link)) {

lib/setuplib.php:591: if (!empty($SESSION->fromurl)) {

lib/setuplib.php:592: $link = $SESSION->fromurl;

lib/setuplib.php:593: unset($SESSION->fromurl);

lib/setuplib.php-594- } else {

lib/setuplib.php-595- $link = $CFG->wwwroot .'/';

--

lib/moodlelib.php-2728- $referer = get_local_referer(false);

lib/moodlelib.php-2729- if (!empty($referer)) {

lib/moodlelib.php:2730: $SESSION->fromurl = $referer;

lib/moodlelib.php-2731- }

lib/moodlelib.php-2732-

--

mod/forum/post.php-161- }

mod/forum/post.php-162-

mod/forum/post.php:163: $SESSION->fromurl = get_local_referer(false);

mod/forum/post.php-164-

mod/forum/post.php-165- // Load up the $post variable.

--

mod/forum/post.php-787-} else if ($mformpost->is_submitted() && !$mformpost->no_submit_button_pressed() && $fromform = $mformpost->get_data()) {

mod/forum/post.php-788-

mod/forum/post.php:789: if (empty($SESSION->fromurl)) {

mod/forum/post.php-790- $errordestination = $urlfactory->get_forum_view_url_from_forum($forumentity);

mod/forum/post.php-791- } else {

mod/forum/post.php:792: $errordestination = $SESSION->fromurl;

mod/forum/post.php-793- }

mod/forum/post.php-794-

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-73427 testing.png
35 kB
07/Jan/22 5:53 PM

Issue Links

has a non-specific relationship to

MDL-69707 Redis session handler should not write the session if it has not changed

Closed

will help resolve

MDL-58018 Reduce session lock contention with opt-in READ_ONLY_SESSION

Closed

Activity

People

Assignee:: cameron1729

Reporter:: Brendan Heywood

Peer reviewer:: Brendan Heywood

Integrator:: Ilya Tregubov

Tester:: Angelia Dela Cruz

Participants:: Angelia Dela Cruz, Brendan Heywood, cameron1729, CiBoT, Ilya Tregubov

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 21/Dec/21 7:57 AM

Updated:: 11/Jan/22 10:09 PM

Resolved:: 11/Jan/22 10:09 PM

Fix Release Date:: 17/Jan/22

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: