Hi,
Can moodle escaped the unwanted data (special characters) which is entered on the URL by the third person?
To avoid user redirection to a malicious website or perform cross-site scripting attacks.
It does - do you have a specific example of a problem?
Using GET Method
Example
Actual url : /theme/yui_combo.php?2in3/2.9.0/build/yui2-yahoo/yui2-yahoo.min.js&
If the third person enters some text and special characters and modifies the above URL: go+to+ghost+website.com&2in3/2.9.0/build/yui2-yahoo/yui2-yahoo.min.js&
Will it go to the actual URL which is shown or it will go to the third person modified URL?
Example
Actual url : /theme/yui_combo.php?2in3/2.9.0/build/yui2-yahoo/yui2-yahoo.min.js&
If the third person enters some text and special characters and modifies the above URL: go+to+ghost+website.com&2in3/2.9.0/build/yui2-yahoo/yui2-yahoo.min.js&
Will it go to the actual URL which is shown or it will go to the third person modified URL?
From the above example, I want to say that - Any URL in Moodle can escape unwanted data or special characters?
Moodle input is all validated (and filtered)
You'll just get a 404 error because it's not a valid URL. And how would a "third person" modify it?
And the result of that was what?
Hi Howard,
From the above screenshot image, I want to know how the application is processing the requested URL (A non-existing directory or parameter).
From the above screenshot image, I want to know how the application is processing the requested URL (A non-existing directory or parameter).
Short answer... all input parameters are verified and checked. This is done automatically by the Moodle forms engine (the data type is required for each field) or 'manually' through optional_param() or required_param() fields which also require a data type. Direct calls to $_GET, $_POST etc. is absolutely forbidden.
For example, in user/editadvanced.php (your example above)... here are the relevant lines from the file...
For example, in user/editadvanced.php (your example above)... here are the relevant lines from the file...
$id = optional_param('id', $USER->id, PARAM_INT); // User id; -1 if creating new user.
$course = optional_param('course', SITEID, PARAM_INT); // Course id (defaults to Site).
$returnto = optional_param('returnto', null, PARAM_ALPHA); // Code determining where to return to after save.The full story is here - https://docs.moodle.org/dev/Security
Hi Howard,
Thank you for your reply.
I want to know that can we replace optional_param() with required_param()?
Thank you for your reply.
I want to know that can we replace optional_param() with required_param()?
I'm not sure how to answer that. You can change it if an 'optional' param becomes 'required'. I'm not sure if you think that makes Moodle more secure - it doesn't.