Details for MSA-21-0030 Insufficient escaping of users' names in account confirmation email?

Details for MSA-21-0030 Insufficient escaping of users' names in account confirmation email?

by Leon Stringer -
Number of replies: 2
Picture of Core developers Picture of Particularly helpful Moodlers

I've just had a customer report their custom emailconfirmation lang string doesn't display correctly, presumably because it contains {$a->firstname} which was removed in 3.9.8 for MSA-21-0030.

This announcement (and MDL-72539 and MDL-72538) refers you to MDL-58393 but I can't view that issue. All I can see is the MSA announcement:

Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

which suggests that rather than adding appropriate sanitizing this field was removed which seems unhelpful from a site admin's perspective.

I'm looking for something I can tell a customer about why this has been removed. Nearly a year after this fix there are no publicly available details about why this was necessary.

Moodle 3.9.10.

Average of ratings: -
In reply to Leon Stringer

Re: Details for MSA-21-0030 Insufficient escaping of users' names in account confirmation email?

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Leon,

I did not work on MDL-58393 but have just read through its history so I can hopefully elaborate a bit for you. As with many fixes, there were multiple options available to be considered, the main ones in this case being to either formulate a way to sanitize the field, or simply remove it. Multiple solutions including various filtering/obfuscation methods were assessed, but it was determined that the lowest risk and simplest solution was to remove the firstname altogether.
Average of ratings: -
In reply to Michael Hawkins

Re: Details for MSA-21-0030 Insufficient escaping of users' names in account confirmation email?

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Michael, thanks for that clarification. If that was the best option given the potential risk then it makes sense and I can pass it on to the customer.

Average of ratings: -