-
Improvement
-
Resolution: Fixed
-
Minor
-
3.9.19, 3.11.12, 4.0.6, 4.1, 4.1.1
I was looking at the latex injection protection recently and it caught my eye that it is likely possible to use \ExplSyntaxOn in LaTeX preamble setting to write new Latex3 code. I do not think it is exploitable and even if it was then maybe only admin could abuse it.
In any case I think it might be better to make the attack surface smaller and add 'ExplSyntaxOn' string to the $denylist in filter_tex_sanitize_formula().
Please note I did not actually try to create any code, all I did was copy pasted some example with ExplSyntaxOn to a tex formula in forum post and inspected the tex file in temporary directory, the forbidden word was not added to it which means Moodle most likely allows it.