Good day,
I'm looking for documentation on Moodle security patching. I've tried to apply the patch for MSA-10-0001 (Vulnerability in KSES text cleaning) on a standard Moodle 1.9.7 deployment by downloading the patch file from http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.1349&r2=1.1350 (as per the security announcement workaround link), copying it to my Linux server into moodle/lib and applied it to the code by running: patch -p0 < MSA-10-0001.diff
The results:
patching file weblib.php
Hunk #1 FAILED at 1149.
1 out of 1 hunk FAILED -- saving rejects to file weblib.php.rej
The contents of weblib.php.rej:
***************
*** 1149,1156 ****
* @return string
*/
function fix_non_standard_entities($string) {
- $text = preg_replace('/(&#[0-9]+)(;?)/', '$1;', $string);
- $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', '$1;', $text);
return $text;
}
--- 1149,1156 ----
* @return string
*/
function fix_non_standard_entities($string) {
+ $text = preg_replace('/�*([0-9]+);?/', '&#$1;', $string);
+ $text = preg_replace('/�*([0-9a-fA-F]+);?/', '&#x$1;', $text);
return $text;
}
When looking at the original weblib.php file I do not see the function fix_non_standard_entities mentioned in the provided Moodle patch. Are these patches only applicable to a specific weekly release of Moodle, or should it apply to any Moodle 1.9.7 deployment? My test Moodle version: Moodle 1.9.7 (Build: 20091126).
Thank you,
John Grobler
Hi John,
Does Development:How to apply a patch help at all?
Just moving this discussion thread to the security and privacy forum where the security experts hang out...
Does Development:How to apply a patch help at all?
Just moving this discussion thread to the security and privacy forum where the security experts hang out...
That is not the right patch. Looking at the version numbers in the URL (r1=1.1349&r2=1.1350), that comes from the main-line of development, not from the 1.9 stable branch.
Where did you get that URL from?
Where did you get that URL from?
Helen: Thanks for the link, our Moodle sites are hosted in a Linux environment and I believe I've used the Linux patch command correctly: patch -p0 < MSA-10-0001.diff (after copying the MSA-10-0001.diff file into the same location as the file to be patched).
Tim: The URL came from the workaround section in the Moodle Security News (http://moodle.org/security/). The page contains bugfix workarounds for most of the security bugs, but does not state to which versions of Moodle these workarounds apply. I understood that one can either apply the solution (by upgrading to Moodle 1.9.8) or implement the workarounds listed. Should I be able to apply the workarounds to my Moodle 1.9x deployments?
Thanks,
John Grobler
Tim: The URL came from the workaround section in the Moodle Security News (http://moodle.org/security/). The page contains bugfix workarounds for most of the security bugs, but does not state to which versions of Moodle these workarounds apply. I understood that one can either apply the solution (by upgrading to Moodle 1.9.8) or implement the workarounds listed. Should I be able to apply the workarounds to my Moodle 1.9x deployments?
Thanks,
John Grobler