Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76680

Prevent $USER->ignoresesskey from remaining enabled beyond its intended usage

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-76680/401
    • MDL-76680/master
    • Hide

      This should not break anything, if it did we would have big problems.

      Setup

      1. A freshly installed moodle instance.

      Testing 1

      1. Download 76680_1.php to your moodle root folder.
      2. Open the script in the browser
      3. CONFIRM it outputs 'bool(false) bool(true)' on first access
      4. Reload the page
      5. CONFIRM it outputs 'bool(false) bool(true)' on page reload

      Testing 2

      1. Download and apply the patch 76680.diff to your moodle instance

        git apply /path/to/76680.diff
        

      2. Login and add or update some calendar entry
      3. Download 76680_2.php to your moodle root folder and open it on the browser.
      4. CONFIRM that you get the error: "A required parameter (sesskey) was missing" 

      Testing 3

      1. Login as admin and create a lesson activity with one page
      2. Download 76680_3.php to your moodle root folder and open it on your browser.
      3. Rerun 76680_2.php on your browser.
      4. CONFIRM that the "A required parameter (sesskey) was missing" error is shown
      Show
      This should not break anything, if it did we would have big problems. Setup A freshly installed moodle instance. Testing 1 Download 76680_1.php to your moodle root folder. Open the script in the browser CONFIRM it outputs 'bool(false) bool(true)' on first access Reload the page CONFIRM it outputs 'bool(false) bool(true)' on page reload Testing 2 Download and apply the patch 76680.diff to your moodle instance git apply /path/to/76680.diff Login and add or update some calendar entry Download 76680_2.php to your moodle root folder and open it on the browser. CONFIRM that you get the error: "A required parameter (sesskey) was missing"  Testing 3 Login as admin and create a lesson activity with one page Download 76680_3.php to your moodle root folder and open it on your browser. Rerun 76680_2.php on your browser. CONFIRM that the "A required parameter (sesskey) was missing" error is shown

      If by any chance some developer used an externallib method that does not wrap 
      $USER->ignoresesskey=true with if (WS_SERVER) in normal code then it could be carried over to normal user session completely disabling CSRF protection.
       
      I guess it would be better to at least limit it only to current request by removing it in session manger at the beginning of next page request.

      Disaster scenarios:

      1. There is a web service that allows both ajax and WS server access - developer forgets to use if (WS_SERVER) around the $USER->ignoresesskey=true. Then every ajax request for this method disables CSRF for the rest of user session.
      2. There is a web service that is allowed in mobile and WS only, it does not have "if (WS_SERVER)" around $USER->ignoresesskey=true. Another developer calls the external method directly in normal code. Then CSRF is disabled for the rest of user session.

        1. (I) Passed -- (311)MDL-76680.png
          (I) Passed -- (311)MDL-76680.png
          18 kB
        2. (I) Passed -- (39)MDL-76680.png
          (I) Passed -- (39)MDL-76680.png
          14 kB
        3. (I) Passed -- (400)MDL-76680.png
          (I) Passed -- (400)MDL-76680.png
          12 kB
        4. (I) Passed -- (401)MDL-76680.png
          (I) Passed -- (401)MDL-76680.png
          14 kB
        5. (I) Passed -- (Master)MDL-76680.png
          (I) Passed -- (Master)MDL-76680.png
          13 kB
        6. (II) Passed -- (311)MDL-76680.png
          (II) Passed -- (311)MDL-76680.png
          93 kB
        7. (II) Passed -- (39)MDL-76680.png
          (II) Passed -- (39)MDL-76680.png
          93 kB
        8. (II) Passed -- (400)MDL-76680.png
          (II) Passed -- (400)MDL-76680.png
          77 kB
        9. (II) Passed -- (401)MDL-76680.png
          (II) Passed -- (401)MDL-76680.png
          69 kB
        10. (II) Passed -- (Master)MDL-76680.png
          (II) Passed -- (Master)MDL-76680.png
          71 kB
        11. (III) Passed -- (311)MDL-76680.png
          (III) Passed -- (311)MDL-76680.png
          96 kB
        12. (III) Passed -- (39)MDL-76680.png
          (III) Passed -- (39)MDL-76680.png
          97 kB
        13. (III) Passed -- (400)MDL-76680.png
          (III) Passed -- (400)MDL-76680.png
          79 kB
        14. (III) Passed -- (401)MDL-76680.png
          (III) Passed -- (401)MDL-76680.png
          72 kB
        15. (III) Passed -- (Master)MDL-76680.png
          (III) Passed -- (Master)MDL-76680.png
          65 kB
        16. 76680_1.php
          0.1 kB
        17. 76680_2.php
          0.1 kB
        18. 76680_3.php
          0.1 kB
        19. 76680.diff
          0.7 kB

            skodak Petr Skoda
            skodak Petr Skoda
            Farhan Karmali Farhan Karmali
            Jun Pataleta Jun Pataleta
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 40 minutes
                1h 40m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.