Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78522

cohort_get_cohort can bypass context validation if $withcustomfields is true

XMLWordPrintable

    • 3
    • Team Alpha - Sprint 2 I2-2023

      A regression caused by MDL-77130

      Patch coming soon

      Reproduce:

      1. Imaging you have cat1 and cat2 that are siblings
      2. You have course1 that is in cat1
      3. You have a cohort and its context is cat2

      4. cohort_get_cohort($cohort->id, \context_course::instance($course1->id), true);

      1.  Above call result supposed to be false, but it returns cohort info

       
      Its not really exploitable by a user via UI. However it is possible to use API in 3rd party plugin for example to get cohort info where it shouldn't be allowed
       
      It might be reclassified as security benefit issue.

        1. MDL-78522-402.patch
          4 kB
        2. MDL-78522-master.patch
          4 kB

            ilyatregubov Ilya Tregubov
            ilyatregubov Ilya Tregubov
            Kevin Percy Kevin Percy
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            CiBoT CiBoT
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours
                2h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.