Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76688

Add \ExplSyntaxOn to latex deny-list to prevent LaTeX3 programming syntax

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE
    • MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-76688/401
    • MDL-76688/master
    • Hide

      regression testing only, nothing should change for end users with this patch:

      Setup

      1. log in as admin
      2. install necessary tex binaries
      3. enable TEX filter in site administration
      4. create some forum activity

      Testing

      1. add some equations using tex markup into forum post 

        [tex]a+b[/tex] 

      1. CONFIRM the equations show correctly
      2. add denied markup with \ExplSyntaxOn

        [tex]d+e \ExplSyntaxOn \ExplSyntaxOff[/tex] 
        [tex]d+e \explsyntaxon \ExplSyntaxOff[/tex] 

      1. CONFIRM it renders as "forbiddenkeyword"
      Show
      regression testing only, nothing should change for end users with this patch: Setup log in as admin install necessary tex binaries enable TEX filter in site administration create some forum activity Testing add some equations using tex markup into forum post  [tex]a+b[/tex] CONFIRM the equations show correctly add denied markup with \ExplSyntaxOn [tex]d+e \ExplSyntaxOn \ExplSyntaxOff[/tex] [tex]d+e \explsyntaxon \ExplSyntaxOff[/tex] CONFIRM it renders as "forbiddenkeyword"

      I was looking at the latex injection protection recently and it caught my eye that it is likely possible to use \ExplSyntaxOn in LaTeX preamble setting to write new Latex3 code. I do not think it is exploitable and even if it was then maybe only admin could abuse it.

      In any case I think it might be better to make the attack surface smaller and add 'ExplSyntaxOn' string to the $denylist in filter_tex_sanitize_formula().

      Please note I did not actually try to create any code, all I did was copy pasted some example with ExplSyntaxOn to a tex formula in forum post and inspected the tex file in temporary directory, the forbidden word was not added to it which means Moodle most likely allows it.

            skodak Petr Skoda
            skodak Petr Skoda
            Farhan Karmali Farhan Karmali
            Jun Pataleta Jun Pataleta
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 5 hours, 23 minutes
                5h 23m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.