Minimal update against MDL-17799?

by Thomas Robb - Wednesday, February 18, 2009, 4:59 PM

My university would like to update whatever files are needed to counter the bug reported in MDL-17799 ( MSA-09-0007: Missing input validation in logs allows...) but merely replacing the file moodle/course/lib.php with the newly updated one doesn't work. Only the header displays with the rest of the page remaining white. What else needs to be replaced to make it work properly? --Or could we make it work by merely adding (or substracting) the changes made to lib,php to counter this security breach?

Re: Minimal update against MDL-17799?

by Petr Skoda - Wednesday, February 18, 2009, 5:43 PM

Random mixing of PHP files from different Moodle versions is definitely not a good idea.
Here is the full commit info with links. I am wondering why not do full upgrade instead of manual patching?

Petr Škoda committed 1 file to 'Moodle CVS' - 08/Jan/09 08:00 AM

~~MDL-17799~~ proper log url sanitisation - big thanks to Full Name hacker

MODIFY

course/lib.php

Rev. 1.637

(+40 -19 lines)

Petr Škoda committed 1 file to 'Moodle CVS' on branch 'MOODLE_19_STABLE' - 08/Jan/09 08:01 AM

~~MDL-17799~~ proper log url sanitisation - big thanks to Full Name hacker

backported from HEAD

MODIFY

course/lib.php

Rev. 1.538.2.67

(+39 -18 lines)

Petr Škoda committed 1 file to 'Moodle CVS' on branch 'MOODLE_18_STABLE' - 08/Jan/09 08:02 AM

~~MDL-17799~~ proper log url sanitisation - big thanks to Full Name hacker

backported from HEAD

MODIFY

course/lib.php

Rev. 1.484.2.35

(+35 -18 lines)

Petr Škoda committed 1 file to 'Moodle CVS' on branch 'MOODLE_17_STABLE' - 08/Jan/09 08:02 AM

~~MDL-17799~~ proper log url sanitisation - big thanks to Full Name hacker

backported from HEAD

MODIFY

course/lib.php

Rev. 1.446.2.15

(+36 -15 lines)

Petr Škoda committed 1 file to 'Moodle CVS' on branch 'MOODLE_16_STABLE' - 08/Jan/09 08:02 AM

~~MDL-17799~~ proper log url sanitisation - big thanks to Full Name hacker

backported from HEAD

MODIFY

course/lib.php

Rev. 1.417.4.4

(+36 -9 lines)

Average of ratings: -

Re: Minimal update against MDL-17799?

by Tim Hunt - Wednesday, February 18, 2009, 5:53 PM

Note that you can always get the changes that were done to fix a but by clicking on the 'Version Control' tab in the tracker, just under the issue description.

(I think that is where Petr copied and pasted from

)

Average of ratings: -

Re: Minimal update against MDL-17799?

by Hubert Chathi - Wednesday, February 18, 2009, 11:07 PM

Except that security bugs are not publicly available. When I go to MDL-17799, I get a:

PERMISSION VIOLATION

ERROR

It seems that you have tried to perform an operation which you are not permitted to perform.

If you think this message is wrong, please consult your administrators about getting the necessary permissions.

(The Version Control tab usually works very well, though)

Average of ratings: -

Re: Minimal update against MDL-17799?

by Tim Hunt - Thursday, February 19, 2009, 12:52 AM

Doh! sorry. It is easy to forget that if you are in the security group.

Ah! That is why Petr often puts direct links to cvs.moodle.org in the security advisories.

Average of ratings: -

Security and privacy

Minimal update against MDL-17799?

PERMISSION VIOLATION