Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73427

$SESSION->fromurl is attempted to be changed during READ_ONLY_SESSION sessions

    XMLWordPrintable

Details

    Description

      Error logs:

      PHP message: Script /lib/ajax/getnavbranch.php?id=xxx&type=xx defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->fromurl"

      Likely root cause is either this:

      This exception handling stores stuff in the session:
      https://github.com/moodle/moodle/blob/master/lib/setuplib.php#L590-L596

      Or this one:
      https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L2728-L2731

      There is a grand total of 4 touch points in core around this and honestly I can't see much point to any of it. In all cases the value in $SESSION->fromurl will be the same as get_local_referer from the referrer header, so I don't see any value in storing it in the session and it's just more session churn which will mean it is forced to be rewritten each time for no reason (see MDL-69707). In any case relying on the referrer header for anything important is bad, eg under some csp setups there is never a referrer header sent.

       

      lib/setuplib.php-589-
      lib/setuplib.php-590- if (empty($link)) {
      lib/setuplib.php:591: if (!empty($SESSION->fromurl)) {
      lib/setuplib.php:592: $link = $SESSION->fromurl;
      lib/setuplib.php:593: unset($SESSION->fromurl);
      lib/setuplib.php-594- } else {
      lib/setuplib.php-595- $link = $CFG->wwwroot .'/';
      --
      lib/moodlelib.php-2728- $referer = get_local_referer(false);
      lib/moodlelib.php-2729- if (!empty($referer)) {
      lib/moodlelib.php:2730: $SESSION->fromurl = $referer;
      lib/moodlelib.php-2731- }
      lib/moodlelib.php-2732-
      --
      mod/forum/post.php-161- }
      mod/forum/post.php-162-
      mod/forum/post.php:163: $SESSION->fromurl = get_local_referer(false);
      mod/forum/post.php-164-
      mod/forum/post.php-165- // Load up the $post variable.
      --
      mod/forum/post.php-787-} else if ($mformpost->is_submitted() && !$mformpost->no_submit_button_pressed() && $fromform = $mformpost->get_data()) {
      mod/forum/post.php-788-
      mod/forum/post.php:789: if (empty($SESSION->fromurl)) {
      mod/forum/post.php-790- $errordestination = $urlfactory->get_forum_view_url_from_forum($forumentity);
      mod/forum/post.php-791- } else {
      mod/forum/post.php:792: $errordestination = $SESSION->fromurl;
      mod/forum/post.php-793- }
      mod/forum/post.php-794-

      Attachments

        Issue Links

          Activity

            People

              cameron1729 cameron1729
              brendanheywood Brendan Heywood
              Brendan Heywood Brendan Heywood
              Ilya Tregubov Ilya Tregubov
              Angelia Dela Cruz Angelia Dela Cruz
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo, Matteo Scaramuccia, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                17/Jan/22

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 minutes
                  5m