Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76688

Add \ExplSyntaxOn to latex deny-list to prevent LaTeX3 programming syntax

    XMLWordPrintable

Details

    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-76688/401
    • MDL-76688/402
    • MDL-76688/master
    • Hide

      regression testing only, nothing should change for end users with this patch:

      Setup

      1. log in as admin
      2. install necessary tex binaries
      3. enable TEX filter in site administration
      4. create some forum activity

      Testing

      1. add some equations using tex markup into forum post 

        [tex]a+b[/tex] 

      1. CONFIRM the equations show correctly
      2. add denied markup with \ExplSyntaxOn

        [tex]d+e \ExplSyntaxOn \ExplSyntaxOff[/tex] 
        [tex]d+e \explsyntaxon \ExplSyntaxOff[/tex] 

      1. CONFIRM it renders as "forbiddenkeyword"
      Show
      regression testing only, nothing should change for end users with this patch: Setup log in as admin install necessary tex binaries enable TEX filter in site administration create some forum activity Testing add some equations using tex markup into forum post  [tex]a+b[/tex] CONFIRM the equations show correctly add denied markup with \ExplSyntaxOn [tex]d+e \ExplSyntaxOn \ExplSyntaxOff[/tex] [tex]d+e \explsyntaxon \ExplSyntaxOff[/tex] CONFIRM it renders as "forbiddenkeyword"

    Description

      I was looking at the latex injection protection recently and it caught my eye that it is likely possible to use \ExplSyntaxOn in LaTeX preamble setting to write new Latex3 code. I do not think it is exploitable and even if it was then maybe only admin could abuse it.

      In any case I think it might be better to make the attack surface smaller and add 'ExplSyntaxOn' string to the $denylist in filter_tex_sanitize_formula().

      Please note I did not actually try to create any code, all I did was copy pasted some example with ExplSyntaxOn to a tex formula in forum post and inspected the tex file in temporary directory, the forbidden word was not added to it which means Moodle most likely allows it.

      Attachments

        Activity

          People

            skodak Petr Skoda (Inactive)
            skodak Petr Skoda (Inactive)
            Farhan Karmali Farhan Karmali
            Jun Pataleta Jun Pataleta
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 hours, 23 minutes
                5h 23m

                Clockify

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.