Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

av Pascal Maury -
Antall svar: 3
Bilde av Plugin developers

Hi,

We created a script to create and update courses in Moodle. The script makes use of the Moodle API.
Since Moodle 1.9.14 which include MDL-29033, dirty magic quotes hack the script crashes.
We found that the problem comes from code in lib/dmllib.php (lines :1467 and 1648):

/// Extra protection against SQL injections
foreach((array)$dataobject as $k=>$v) {
   $dataobject->$k = sql_magic_quotes_hack($v);
}

In our script we use private methods and properties in the course and user object. When our object gets in the database the new "magic quotes hack" fails to convert it to array. Casting object to array is very hazardous in PHP and deprecated (http://www.php.net/manual/en/language.types.array.php#language.types.array.casting).
We have patched dmllib to use "get_object_vars" PHP function and not direct casting. This way private  properties and methods are handeled correctly.

/// Extra protection against SQL injections
    $dataobject_array = get_object_vars($dataobject);
    foreach($dataobject_array as $k=>$v) {
        $dataobject->$k = sql_magic_quotes_hack($v);
    }

What do you think about that ?

NB : I can not access to the MDL-29033 page : I got the message "Permission Violation". So I posted my comment here but maybe it is not the better place ?
We found the link to the MDL-29033 page here : http://moodle.org/security/

Pascal

Gjennomsnittlig vurdering: -
Som svar til Pascal Maury

Re: Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

av Petr Skoda -
Bilde av Core developers Bilde av Documentation writers Bilde av Peer reviewers Bilde av Plugin developers
Oh, you should not pass custom objects to DML layer, that is not going to work in any Moodle version much. Instead please use basic stdClass/object classes without any methods or private/protected properties.

Please create a new issue in tracker ideally with patches for both 1.9 and 2.x. It should be relatively easy to fix this but I would recommended to change your coding style a bit anyway.

Thanks for the report and proposed patch!

Petr
Gjennomsnittlig vurdering:Useful (1)
Som svar til Pascal Maury

Re: Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

av Eloy Lafuente (stronk7) -
Bilde av Core developers Bilde av Documentation writers Bilde av Moodle HQ Bilde av Peer reviewers Bilde av Plugin developers Bilde av Testers

Also, it's planned to completly prevent passing objects (with magic methods) as params ASAP, just in case somebody is relying in such "ability".

For reference: MDL-29894

Ciao smiler

Gjennomsnittlig vurdering: -
Som svar til Eloy Lafuente (stronk7)

Re: Moodle 1.9.14/MDL-29033 : dirty magic quotes hack uses hazardous and deprecated casting object

av Pascal Maury -
Bilde av Plugin developers

Thanks for yours answers.

I created the issue : http://tracker.moodle.org/browse/MDL-30480
The MDL-29033 description on http://moodle.org/security/ is only about 1.9 :

MSA-11-0038: Database injection protection strengthened
 
Topic: Magic quotes hardening of 1.9
Severity: Serious
Versions affected: < 1.9.14 (2.x not affected)

I did not found this code in /lib/dmllib.php file of my Moodle 2.1.2.

 

Ok for the recommandation of changing our coding style a bit !

Thanks

Pascal

 

Gjennomsnittlig vurdering: -