Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

by Pascal Maury -
Number of replies: 3
Picture of Plugin developers

Hi,

We created a script to create and update courses in Moodle. The script makes use of the Moodle API.
Since Moodle 1.9.14 which include MDL-29033, dirty magic quotes hack the script crashes.
We found that the problem comes from code in lib/dmllib.php (lines :1467 and 1648):

/// Extra protection against SQL injections
foreach((array)$dataobject as $k=>$v) {
   $dataobject->$k = sql_magic_quotes_hack($v);
}

In our script we use private methods and properties in the course and user object. When our object gets in the database the new "magic quotes hack" fails to convert it to array. Casting object to array is very hazardous in PHP and deprecated (http://www.php.net/manual/en/language.types.array.php#language.types.array.casting).
We have patched dmllib to use "get_object_vars" PHP function and not direct casting. This way private  properties and methods are handeled correctly.

/// Extra protection against SQL injections
    $dataobject_array = get_object_vars($dataobject);
    foreach($dataobject_array as $k=>$v) {
        $dataobject->$k = sql_magic_quotes_hack($v);
    }

What do you think about that ?

NB : I can not access to the MDL-29033 page : I got the message "Permission Violation". So I posted my comment here but maybe it is not the better place ?
We found the link to the MDL-29033 page here : http://moodle.org/security/

Pascal

Average of ratings: -
In reply to Pascal Maury

Re: Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

by Petr Skoda -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Oh, you should not pass custom objects to DML layer, that is not going to work in any Moodle version much. Instead please use basic stdClass/object classes without any methods or private/protected properties.

Please create a new issue in tracker ideally with patches for both 1.9 and 2.x. It should be relatively easy to fix this but I would recommended to change your coding style a bit anyway.

Thanks for the report and proposed patch!

Petr
Average of ratings: Useful (1)
In reply to Pascal Maury

Re: Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

by Eloy Lafuente (stronk7) -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Peer reviewers Picture of Plugin developers Picture of Testers

Also, it's planned to completly prevent passing objects (with magic methods) as params ASAP, just in case somebody is relying in such "ability".

For reference: MDL-29894

Ciao smile

Average of ratings: -
In reply to Eloy Lafuente (stronk7)

Re: Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

by Pascal Maury -
Picture of Plugin developers

Thanks for yours answers.

I created the issue : http://tracker.moodle.org/browse/MDL-30480
The MDL-29033 description on http://moodle.org/security/ is only about 1.9 :

MSA-11-0038: Database injection protection strengthened
 
Topic: Magic quotes hardening of 1.9
Severity: Serious
Versions affected: < 1.9.14 (2.x not affected)

I did not found this code in /lib/dmllib.php file of my Moodle 2.1.2.

 

Ok for the recommandation of changing our coding style a bit !

Thanks

Pascal

 

Average of ratings: -