Bug#682564: unblock: moodle/2.2.3.dfsg-2.2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package moodle
This version fixes the security bug #682203 and the following CVEs:
CVE-2012-3388
CVE-2012-3389
CVE-2012-3393
CVE-2012-3394
CVE-2012-3395
CVE-2012-3396
CVE-2012-3397
This is the changelog entry:
moodle (2.2.3.dfsg-2.2) unstable; urgency=low
* Non-maintainer upload.
* Backport multiple security issues from upstream's MOODLE_22_STABLE
branch. (Closes: #682203)
- MDL-31692 mod_lti - ensure that various mforms are used properly
Fixes CVE-2012-3389
- MDL-33916 Ensure that capabilities are checked for cached user
enrolments
Fixes CVE-2012-3388
-- Didier Raboud <odyx@debian.org> Mon, 23 Jul 2012 19:13:56 +0200
moodle (2.2.3.dfsg-2.1) unstable; urgency=low
* Non-maintainer upload.
* Backport multiple security issues from upstream's MOODLE_22_STABLE
branch (Closes: #682203)
- MDL-33808 - format title on the repository instance screen
- MDL-33808 - incorrect cleaning of repository names
Both patches fix CVE-2012-3393.
- MDL-23254 Authentication : used httpswwwroot as root url during
authentication procedure where $PAGE->https_required() is
specified.
Fix CVE-2012-3394
- MDL-27675 - Feedback module abuses data_submitted
Fix CVE-2012-3395
- MDL-34045 fix invalid idnumber field type in cohort form
Fix CVE-2012-3396
- MDL-33466: Group restriction should hide activity even with 'show
availability' option
Fix CVE-2012-3397
-- Didier Raboud <odyx@debian.org> Fri, 20 Jul 2012 19:52:07 +0200
And (as the only diff are new patches in debian/patches) the patches are attached.
Cheers,
OdyX
unblock moodle/2.2.3.dfsg-2.2
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
0001-MDL-33466-Group-restriction-should-hide-activity-eve.patch
0002-MDL-34045-fix-invalid-idnumber-field-type-in-cohort-.patch
0003-MDL-27675-Feedback-module-abuses-data_submitted.patch
0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch
0005-MDL-33808-incorrect-cleaning-of-repository-names.patch
0006-MDL-33808-format-title-on-the-repository-instance-sc.patch
0007-MDL-31692-mod_lti-ensure-that-various-mforms-are-use.patch
0008-MDL-33916-Ensure-that-capabilities-are-checked-for-c.patch
>From f810144610dcb57c7392fb98d578e70a14f26470 Mon Sep 17 00:00:00 2001
From: sam marshall <s.marshall@open.ac.uk>
Date: Sun, 27 May 2012 12:49:10 +0800
Subject: MDL-33466: Group restriction should hide activity even with 'show
availability' option
This is a modified version of fix by Luke Tucker at NetSpot - thanks.
---
lib/modinfolib.php | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/lib/modinfolib.php b/lib/modinfolib.php
index 20ac75c..8a9e6dd 100644
--- a/lib/modinfolib.php
+++ b/lib/modinfolib.php
@@ -994,18 +994,24 @@ class cm_info extends stdClass {
$modcontext = get_context_instance(CONTEXT_MODULE, $this->id);
$userid = $this->modinfo->get_user_id();
$this->uservisible = true;
+ // Check visibility/availability conditions.
if ((!$this->visible or !$this->available) and
!has_capability('moodle/course:viewhiddenactivities', $modcontext, $userid)) {
// If the activity is hidden or unavailable, and you don't have viewhiddenactivities,
- // set it so that user can't see or access it
+ // set it so that user can't see or access it.
$this->uservisible = false;
- } else if (!empty($CFG->enablegroupmembersonly) and !empty($this->groupmembersonly)
+ }
+ // Check group membership. The grouping option makes the activity
+ // completely invisible as it does not apply to the user at all.
+ if (!empty($CFG->enablegroupmembersonly) and !empty($this->groupmembersonly)
and !has_capability('moodle/site:accessallgroups', $modcontext, $userid)) {
// If the activity has 'group members only' and you don't have accessallgroups...
$groups = $this->modinfo->get_groups($this->groupingid);
if (empty($groups)) {
// ...and you don't belong to a group, then set it so you can't see/access it
$this->uservisible = false;
+ // Ensure activity is completely hidden from user.
+ $this->showavailability = 0;
}
}
}
--
1.7.10.4
>From b0d2db5452a7210d2067d4b40b36d2bfad5a84c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0koda?= <commits@skodak.org>
Date: Sat, 30 Jun 2012 07:50:38 +0200
Subject: MDL-34045 fix invalid idnumber field type in cohort form
---
cohort/edit_form.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cohort/edit_form.php b/cohort/edit_form.php
index 249212c..d449980 100644
--- a/cohort/edit_form.php
+++ b/cohort/edit_form.php
@@ -49,7 +49,7 @@ class cohort_edit_form extends moodleform {
$mform->addElement('select', 'contextid', get_string('context', 'role'), $options);
$mform->addElement('text', 'idnumber', get_string('idnumber', 'cohort'), 'maxlength="254" size="50"');
- $mform->setType('name', PARAM_RAW); // idnumbers are plain text, must not be changed
+ $mform->setType('idnumber', PARAM_RAW); // idnumbers are plain text, must not be changed
$mform->addElement('editor', 'description_editor', get_string('description', 'cohort'), null, $editoroptions);
$mform->setType('description_editor', PARAM_RAW);
--
1.7.10.4
>From 80eb0055aed8cefebeddfea88daa19d5fec69715 Mon Sep 17 00:00:00 2001
From: Andreas Grabs <moodle@grabs-edv.de>
Date: Wed, 6 Jun 2012 23:16:54 +0200
Subject: MDL-27675 - Feedback module abuses data_submitted
---
mod/feedback/complete.php | 8 +++-----
mod/feedback/complete_guest.php | 12 +++++-------
mod/feedback/item/captcha/lib.php | 8 ++++++++
mod/feedback/item/feedback_item_class.php | 19 +++++++++++++------
mod/feedback/item/info/lib.php | 8 ++++++++
mod/feedback/item/label/lib.php | 8 ++++++++
mod/feedback/item/multichoice/lib.php | 4 ++++
mod/feedback/item/multichoicerated/lib.php | 7 +++++++
mod/feedback/item/numeric/lib.php | 13 ++++++++++++-
mod/feedback/item/textarea/lib.php | 12 ++++++++++--
mod/feedback/item/textfield/lib.php | 12 ++++++++++--
mod/feedback/lib.php | 11 +++++++++++
12 files changed, 99 insertions(+), 23 deletions(-)
diff --git a/mod/feedback/complete.php b/mod/feedback/complete.php
index 1ccf71e..aebb1ed 100644
--- a/mod/feedback/complete.php
+++ b/mod/feedback/complete.php
@@ -507,11 +507,8 @@ if ($feedback_can_submit) {
//get the value
$frmvaluename = $feedbackitem->typ . '_'. $feedbackitem->id;
if (isset($savereturn)) {
- if (isset($formdata->{$frmvaluename})) {
- $value = $formdata->{$frmvaluename};
- } else {
- $value = null;
- }
+ $value = isset($formdata->{$frmvaluename}) ? $formdata->{$frmvaluename} : null;
+ $value = feedback_clean_input_value($feedbackitem, $value);
} else {
if (isset($feedbackcompletedtmp->id)) {
$value = feedback_get_item_value($feedbackcompletedtmp->id,
@@ -530,6 +527,7 @@ if ($feedback_can_submit) {
feedback_print_item_complete($feedbackitem, $value, $highlightrequired);
echo $OUTPUT->box_end();
}
+
echo $OUTPUT->box_end();
$lastbreakposition = $feedbackitem->position; //last item-pos (item or pagebreak)
diff --git a/mod/feedback/complete_guest.php b/mod/feedback/complete_guest.php
index 25747a9..b472c09 100644
--- a/mod/feedback/complete_guest.php
+++ b/mod/feedback/complete_guest.php
@@ -72,7 +72,7 @@ if (isset($formdata->sesskey) AND
!isset($formdata->gonextpage) AND
!isset($formdata->gopreviouspage)) {
- $gopage = $formdata->lastpage;
+ $gopage = (int) $formdata->lastpage;
}
if (isset($formdata->savevalues)) {
$savevalues = true;
@@ -441,13 +441,10 @@ if ($feedback_can_submit) {
echo $OUTPUT->box_start('feedback_item_box_'.$align.$dependstyle);
$value = '';
//get the value
- $frmvaluename = $feedbackitem->typ.'_'.$feedbackitem->id;
+ $frmvaluename = $feedbackitem->typ . '_'. $feedbackitem->id;
if (isset($savereturn)) {
- if (isset($formdata->{$frmvaluename})) {
- $value = $formdata->{$frmvaluename};
- } else {
- $value = null;
- }
+ $value = isset($formdata->{$frmvaluename}) ? $formdata->{$frmvaluename} : null;
+ $value = feedback_clean_input_value($feedbackitem, $value);
} else {
if (isset($feedbackcompletedtmp->id)) {
$value = feedback_get_item_value($feedbackcompletedtmp->id,
@@ -466,6 +463,7 @@ if ($feedback_can_submit) {
feedback_print_item_complete($feedbackitem, $value, $highlightrequired);
echo $OUTPUT->box_end();
}
+
echo $OUTPUT->box_end();
$lastbreakposition = $feedbackitem->position; //last item-pos (item or pagebreak)
diff --git a/mod/feedback/item/captcha/lib.php b/mod/feedback/item/captcha/lib.php
index 126d51e..190b136 100644
--- a/mod/feedback/item/captcha/lib.php
+++ b/mod/feedback/item/captcha/lib.php
@@ -326,4 +326,12 @@ class feedback_item_captcha extends feedback_item_base {
public function can_switch_require() {
return false;
}
+
+ public function value_type() {
+ return PARAM_RAW;
+ }
+
+ function clean_input_value($value) {
+ return clean_param($value, $this->value_type());
+ }
}
diff --git a/mod/feedback/item/feedback_item_class.php b/mod/feedback/item/feedback_item_class.php
index 981aefd..f325ed7 100644
--- a/mod/feedback/item/feedback_item_class.php
+++ b/mod/feedback/item/feedback_item_class.php
@@ -41,14 +41,11 @@ abstract class feedback_item_base {
return false;
}
- public function value_type() {
- return PARAM_RAW;
- }
-
public function value_is_array() {
return false;
}
+ abstract public function value_type();
abstract public function init();
abstract public function build_editform($item, $feedback, $cm);
abstract public function save_item();
@@ -128,6 +125,14 @@ abstract class feedback_item_base {
*/
abstract public function print_item_show_value($item, $value = '');
+ /**
+ * cleans the userinput while submitting the form
+ *
+ * @param mixed $value
+ * @return mixed
+ */
+ abstract function clean_input_value($value);
+
}
//a dummy class to realize pagebreaks
@@ -175,7 +180,9 @@ class feedback_item_pagebreak extends feedback_item_base {
}
public function can_switch_require() {
}
+ public function value_type() {
+ }
+ public function clean_input_value($value) {
+ }
}
-
-
diff --git a/mod/feedback/item/info/lib.php b/mod/feedback/item/info/lib.php
index 870c328..b84a377 100644
--- a/mod/feedback/item/info/lib.php
+++ b/mod/feedback/item/info/lib.php
@@ -388,4 +388,12 @@ class feedback_item_info extends feedback_item_base {
public function can_switch_require() {
return false;
}
+
+ public function value_type() {
+ return PARAM_INT;
+ }
+
+ function clean_input_value($value) {
+ return clean_param($value, $this->value_type());
+ }
}
diff --git a/mod/feedback/item/label/lib.php b/mod/feedback/item/label/lib.php
index 25c62a9..c643b31 100644
--- a/mod/feedback/item/label/lib.php
+++ b/mod/feedback/item/label/lib.php
@@ -270,4 +270,12 @@ class feedback_item_label extends feedback_item_base {
}
public function get_analysed($item, $groupid = false, $courseid = false) {
}
+
+ public function value_type() {
+ return PARAM_BOOL;
+ }
+
+ public function clean_input_value($value) {
+ return '';
+ }
}
diff --git a/mod/feedback/item/multichoice/lib.php b/mod/feedback/item/multichoice/lib.php
index 4c836e0..59d17d7 100644
--- a/mod/feedback/item/multichoice/lib.php
+++ b/mod/feedback/item/multichoice/lib.php
@@ -826,4 +826,8 @@ class feedback_item_multichoice extends feedback_item_base {
public function value_is_array() {
return true;
}
+
+ public function clean_input_value($value) {
+ return clean_param_array($value, $this->value_type());
+ }
}
diff --git a/mod/feedback/item/multichoicerated/lib.php b/mod/feedback/item/multichoicerated/lib.php
index 050f7eb..65b5f6f 100644
--- a/mod/feedback/item/multichoicerated/lib.php
+++ b/mod/feedback/item/multichoicerated/lib.php
@@ -678,4 +678,11 @@ class feedback_item_multichoicerated extends feedback_item_base {
return true;
}
+ public function value_type() {
+ return PARAM_INT;
+ }
+
+ function clean_input_value($value) {
+ return clean_param($value, $this->value_type());
+ }
}
diff --git a/mod/feedback/item/numeric/lib.php b/mod/feedback/item/numeric/lib.php
index ae19cf9..b7b2067 100644
--- a/mod/feedback/item/numeric/lib.php
+++ b/mod/feedback/item/numeric/lib.php
@@ -364,7 +364,7 @@ class feedback_item_numeric extends feedback_item_base {
'name="'.$item->typ.'_'.$item->id.'" '.
'size="10" '.
'maxlength="10" '.
- 'value="'.($value ? $value : '').'" />';
+ 'value="'.$value.'" />';
echo '</span>';
echo '</div>';
@@ -534,4 +534,15 @@ class feedback_item_numeric extends feedback_item_base {
public function can_switch_require() {
return true;
}
+
+ public function value_type() {
+ return PARAM_FLOAT;
+ }
+
+ function clean_input_value($value) {
+ if (!is_numeric($value)) {
+ return null;
+ }
+ return clean_param($value, $this->value_type());
+ }
}
diff --git a/mod/feedback/item/textarea/lib.php b/mod/feedback/item/textarea/lib.php
index e6aaec5..e3c166b 100644
--- a/mod/feedback/item/textarea/lib.php
+++ b/mod/feedback/item/textarea/lib.php
@@ -262,7 +262,7 @@ class feedback_item_textarea extends feedback_item_base {
echo '<textarea name="'.$item->typ.'_'.$item->id.'" '.
'cols="'.$presentation[0].'" '.
'rows="'.$presentation[1].'">';
- echo ($value ? htmlspecialchars($value) : '');
+ echo $value;
echo '</textarea>';
echo '</span>';
echo '</div>';
@@ -308,7 +308,7 @@ class feedback_item_textarea extends feedback_item_base {
}
public function create_value($data) {
- $data = clean_text($data);
+ $data = s($data);
return $data;
}
@@ -333,4 +333,12 @@ class feedback_item_textarea extends feedback_item_base {
public function can_switch_require() {
return true;
}
+
+ public function value_type() {
+ return PARAM_RAW;
+ }
+
+ function clean_input_value($value) {
+ return s($value);
+ }
}
diff --git a/mod/feedback/item/textfield/lib.php b/mod/feedback/item/textfield/lib.php
index 083069e..4c07a5f 100644
--- a/mod/feedback/item/textfield/lib.php
+++ b/mod/feedback/item/textfield/lib.php
@@ -252,7 +252,7 @@ class feedback_item_textfield extends feedback_item_base {
'name="'.$item->typ.'_'.$item->id.'" '.
'size="'.$presentation[0].'" '.
'maxlength="'.$presentation[1].'" '.
- 'value="'.($value ? htmlspecialchars($value) : '').'" />';
+ 'value="'.$value.'" />';
echo '</span>';
echo '</div>';
}
@@ -295,7 +295,7 @@ class feedback_item_textfield extends feedback_item_base {
}
public function create_value($data) {
- $data = clean_text($data);
+ $data = s($data);
return $data;
}
@@ -320,4 +320,12 @@ class feedback_item_textfield extends feedback_item_base {
public function can_switch_require() {
return true;
}
+
+ public function value_type() {
+ return PARAM_RAW;
+ }
+
+ function clean_input_value($value) {
+ return s($value);
+ }
}
diff --git a/mod/feedback/lib.php b/mod/feedback/lib.php
index 19e6425..072d7d2 100644
--- a/mod/feedback/lib.php
+++ b/mod/feedback/lib.php
@@ -2064,6 +2064,17 @@ function feedback_get_page_to_continue($feedbackid, $courseid = false, $guestid
//functions to handle the values
////////////////////////////////////////////////
+/**
+ * cleans the userinput while submitting the form.
+ *
+ * @param mixed $value
+ * @return mixed
+ */
+function feedback_clean_input_value($item, $value) {
+ $itemobj = feedback_get_item_class($item->typ);
+ return $itemobj->clean_input_value($value);
+}
+
/**
* this saves the values of an completed.
* if the param $tmp is set true so the values are saved temporary in table feedback_valuetmp.
--
1.7.10.4
>From acaa47c303d8d068629e23d139bc4f209c911eea Mon Sep 17 00:00:00 2001
From: Aparup Banerjee <aparup@moodle.com>
Date: Thu, 28 Jun 2012 15:32:33 +0800
Subject: MDL-23254 Authentication : used httpswwwroot as root url during
authentication procedure where $PAGE->https_required() is
specified.
---
auth/ldap/ntlmsso_attempt.php | 5 +++--
auth/ldap/ntlmsso_magic.php | 3 ++-
auth/shibboleth/login.php | 8 ++++----
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/auth/ldap/ntlmsso_attempt.php b/auth/ldap/ntlmsso_attempt.php
index 8624b38..69bbd42 100644
--- a/auth/ldap/ntlmsso_attempt.php
+++ b/auth/ldap/ntlmsso_attempt.php
@@ -33,8 +33,9 @@ $PAGE->set_title("$site->fullname: $loginsite");
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
+// $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
$msg = '<p>'.get_string('ntlmsso_attempting', 'auth_ldap').'</p>'
. '<img width="1", height="1" '
- . ' src="' . $CFG->wwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
+ . ' src="' . $CFG->httpswwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
. $sesskey . '" />';
-redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
+redirect($CFG->httpswwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php
index 9c74f87..f7cd208 100644
--- a/auth/ldap/ntlmsso_magic.php
+++ b/auth/ldap/ntlmsso_magic.php
@@ -29,7 +29,8 @@ $file = $CFG->dirroot.'/pix/spacer.gif';
if ($authplugin->ntlmsso_magic($sesskey) && file_exists($file)) {
if (!empty($authplugin->config->ntlmsso_ie_fastpath)) {
if (check_browser_version('MSIE')) {
- redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_finish.php');
+ // $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
+ redirect($CFG->httpswwwroot.'/auth/ldap/ntlmsso_finish.php');
}
}
diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php
index 0b635ac..ee3372f 100644
--- a/auth/shibboleth/login.php
+++ b/auth/shibboleth/login.php
@@ -44,17 +44,17 @@ $PAGE->https_required();
// Redirect to SessionInitiator with entityID as argument
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])) {
// For Shibbolet 1.x Service Providers
- header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
// For Shibbolet 2.x Service Providers
- // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
} else {
// For Shibbolet 1.x Service Providers
- header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
// For Shibboleth 2.x Service Providers
- // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
}
} elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) {
$errormsg = get_string('auth_shibboleth_errormsg', 'auth_shibboleth');
--
1.7.10.4
>From acaa47c303d8d068629e23d139bc4f209c911eea Mon Sep 17 00:00:00 2001
From: Aparup Banerjee <aparup@moodle.com>
Date: Thu, 28 Jun 2012 15:32:33 +0800
Subject: MDL-23254 Authentication : used httpswwwroot as root url during
authentication procedure where $PAGE->https_required() is
specified.
---
auth/ldap/ntlmsso_attempt.php | 5 +++--
auth/ldap/ntlmsso_magic.php | 3 ++-
auth/shibboleth/login.php | 8 ++++----
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/auth/ldap/ntlmsso_attempt.php b/auth/ldap/ntlmsso_attempt.php
index 8624b38..69bbd42 100644
--- a/auth/ldap/ntlmsso_attempt.php
+++ b/auth/ldap/ntlmsso_attempt.php
@@ -33,8 +33,9 @@ $PAGE->set_title("$site->fullname: $loginsite");
$PAGE->set_heading($site->fullname);
echo $OUTPUT->header();
+// $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
$msg = '<p>'.get_string('ntlmsso_attempting', 'auth_ldap').'</p>'
. '<img width="1", height="1" '
- . ' src="' . $CFG->wwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
+ . ' src="' . $CFG->httpswwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
. $sesskey . '" />';
-redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
+redirect($CFG->httpswwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php
index 9c74f87..f7cd208 100644
--- a/auth/ldap/ntlmsso_magic.php
+++ b/auth/ldap/ntlmsso_magic.php
@@ -29,7 +29,8 @@ $file = $CFG->dirroot.'/pix/spacer.gif';
if ($authplugin->ntlmsso_magic($sesskey) && file_exists($file)) {
if (!empty($authplugin->config->ntlmsso_ie_fastpath)) {
if (check_browser_version('MSIE')) {
- redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_finish.php');
+ // $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
+ redirect($CFG->httpswwwroot.'/auth/ldap/ntlmsso_finish.php');
}
}
diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php
index 0b635ac..ee3372f 100644
--- a/auth/shibboleth/login.php
+++ b/auth/shibboleth/login.php
@@ -44,17 +44,17 @@ $PAGE->https_required();
// Redirect to SessionInitiator with entityID as argument
if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])) {
// For Shibbolet 1.x Service Providers
- header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
// For Shibbolet 2.x Service Providers
- // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
} else {
// For Shibbolet 1.x Service Providers
- header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
// For Shibboleth 2.x Service Providers
- // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
+ // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
}
} elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) {
$errormsg = get_string('auth_shibboleth_errormsg', 'auth_shibboleth');
--
1.7.10.4
>From f0a7254635f6be0fda60df372a4a174d8eac13f2 Mon Sep 17 00:00:00 2001
From: Dan Poltawski <dan@moodle.com>
Date: Tue, 19 Jun 2012 11:20:21 +0800
Subject: MDL-33808 - incorrect cleaning of repository names
---
repository/lib.php | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/repository/lib.php b/repository/lib.php
index eae6072..3c10b43 100644
--- a/repository/lib.php
+++ b/repository/lib.php
@@ -1450,7 +1450,7 @@ abstract class repository {
$ft = new filetype_parser;
$meta = new stdClass();
$meta->id = $this->id;
- $meta->name = $this->get_name();
+ $meta->name = format_string($this->get_name());
$meta->type = $this->options['type'];
$meta->icon = $OUTPUT->pix_url('icon', 'repository_'.$meta->type)->out(false);
$meta->supported_types = $ft->get_extensions($this->supported_filetypes());
@@ -1762,6 +1762,7 @@ abstract class repository {
// it can be empty, then moodle will look for instance name from language string
$mform->addElement('text', 'pluginname', get_string('pluginname', 'repository'), array('size' => '40'));
$mform->addElement('static', 'pluginnamehelp', '', get_string('pluginnamehelp', 'repository'));
+ $mform->setType('pluginname', PARAM_TEXT);
}
}
@@ -1904,6 +1905,7 @@ final class repository_instance_form extends moodleform {
$mform->addElement('text', 'name', get_string('name'), 'maxlength="100" size="30"');
$mform->addRule('name', $strrequired, 'required', null, 'client');
+ $mform->setType('name', PARAM_TEXT);
}
public function definition() {
--
1.7.10.4
>From 0d05091c189c861f809fda3974f22d329c5cff00 Mon Sep 17 00:00:00 2001
From: Dan Poltawski <dan@moodle.com>
Date: Tue, 19 Jun 2012 12:07:46 +0800
Subject: MDL-33808 - format title on the repository instance screen
---
repository/lib.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/repository/lib.php b/repository/lib.php
index 3c10b43..d900a78 100644
--- a/repository/lib.php
+++ b/repository/lib.php
@@ -1253,7 +1253,7 @@ abstract class repository {
}
$type = repository::get_type_by_id($i->options['typeid']);
- $table->data[] = array($i->name, $type->get_readablename(), $settings, $delete);
+ $table->data[] = array(format_string($i->name), $type->get_readablename(), $settings, $delete);
//display a grey row if the type is defined as not visible
if (isset($type) && !$type->get_visible()) {
--
1.7.10.4
>From 1d161e6802bc352c38014f59ed6eb4f63f860378 Mon Sep 17 00:00:00 2001
From: Dan Poltawski <dan@moodle.com>
Date: Fri, 22 Jun 2012 14:42:20 +0800
Subject: [PATCH 7/8] MDL-31692 mod_lti - ensure that various mforms are used
properly
* typesettings.php and instructor_edit_tool_type.php are tided
up properly to ensure proper use for form data
* An incorrect PARAM type is corrected for typename
---
mod/lti/edit_form.php | 2 +-
mod/lti/instructor_edit_tool_type.php | 9 +--
mod/lti/typessettings.php | 131 ++++++++-------------------------
3 files changed, 34 insertions(+), 108 deletions(-)
diff --git a/mod/lti/edit_form.php b/mod/lti/edit_form.php
index 3cf2ef8..fec78ee 100644
--- a/mod/lti/edit_form.php
+++ b/mod/lti/edit_form.php
@@ -62,7 +62,7 @@ class mod_lti_edit_types_form extends moodleform{
$mform->addElement('header', 'setup', get_string('tool_settings', 'lti'));
$mform->addElement('text', 'lti_typename', get_string('typename', 'lti'));
- $mform->setType('lti_typename', PARAM_INT);
+ $mform->setType('lti_typename', PARAM_TEXT);
$mform->addHelpButton('lti_typename', 'typename', 'lti');
$mform->addRule('lti_typename', null, 'required', null, 'client');
diff --git a/mod/lti/instructor_edit_tool_type.php b/mod/lti/instructor_edit_tool_type.php
index b0fe496..c65b3f4 100644
--- a/mod/lti/instructor_edit_tool_type.php
+++ b/mod/lti/instructor_edit_tool_type.php
@@ -47,9 +47,8 @@ if (!empty($typeid)) {
}
}
-$data = data_submitted();
-
-if (isset($data->submitbutton) && confirm_sesskey()) {
+$form = new mod_lti_edit_types_form();
+if ($data = $form->get_data()) {
$type = new stdClass();
if (!empty($typeid)) {
@@ -96,7 +95,7 @@ if (isset($data->submitbutton) && confirm_sesskey()) {
die;
}
-} else if (isset($data->cancel)) {
+} else if ($form->is_cancelled()) {
$script = "
<html>
<script type=\"text/javascript\">
@@ -120,10 +119,8 @@ echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('toolsetup', 'lti'));
if ($action == 'add') {
- $form = new mod_lti_edit_types_form();
$form->display();
} else if ($action == 'edit') {
- $form = new mod_lti_edit_types_form();
$type = lti_get_type_type_config($typeid);
$form->set_data($type);
$form->display();
diff --git a/mod/lti/typessettings.php b/mod/lti/typessettings.php
index d6d2d18..f88cb5e 100644
--- a/mod/lti/typessettings.php
+++ b/mod/lti/typessettings.php
@@ -53,41 +53,42 @@ require_once($CFG->libdir.'/adminlib.php');
require_once($CFG->dirroot.'/mod/lti/edit_form.php');
require_once($CFG->dirroot.'/mod/lti/locallib.php');
-$section = 'modsettinglti';
-$return = optional_param('return', '', PARAM_ALPHA);
-$adminediting = optional_param('adminedit', -1, PARAM_BOOL);
$action = optional_param('action', null, PARAM_ACTION);
$id = optional_param('id', null, PARAM_INT);
-$useexisting = optional_param('useexisting', null, PARAM_INT);
-$definenew = optional_param('definenew', null, PARAM_INT);
+$tab = optional_param('tab', '', PARAM_ALPHAEXT);
// no guest autologin
require_login(0, false);
+
$pageurl = new moodle_url('/mod/lti/typessettings.php');
+if (!empty($id)) {
+ $pageurl->param('id', $id);
+}
$PAGE->set_url($pageurl);
admin_externalpage_setup('managemodules'); // Hacky solution for printing the admin page
-$tab = optional_param('tab', '', PARAM_ALPHAEXT);
$redirect = "$CFG->wwwroot/$CFG->admin/settings.php?section=modsettinglti&tab={$tab}";
-// WRITING SUBMITTED DATA (IF ANY)
-
-$statusmsg = '';
-$errormsg = '';
-$focus = '';
+require_sesskey();
-$data = data_submitted();
-
-// Any posted data & any action
-if (!empty($data) || !empty($action)) {
- require_sesskey();
+if ($action == 'accept') {
+ lti_set_state_for_type($id, LTI_TOOL_STATE_CONFIGURED);
+ redirect($redirect);
+} else if ($action == 'reject') {
+ lti_set_state_for_type($id, LTI_TOOL_STATE_REJECTED);
+ redirect($redirect);
+} else if ($action == 'delete') {
+ lti_delete_type($id);
+ redirect($redirect);
}
-if (isset($data->submitbutton)) {
+$form = new mod_lti_edit_types_form($pageurl, (object)array('isadmin' => true));
+
+if ($data = $form->get_data()) {
$type = new stdClass();
- if (isset($id)) {
+ if (!empty($id)) {
$type->id = $id;
lti_update_type($type, $data);
@@ -100,94 +101,22 @@ if (isset($data->submitbutton)) {
redirect($redirect);
}
-
-} else if (isset($data->cancel)) {
- redirect($redirect);
-
-} else if ($action == 'accept') {
- lti_set_state_for_type($id, LTI_TOOL_STATE_CONFIGURED);
- redirect($redirect);
-
-} else if ($action == 'reject') {
- lti_set_state_for_type($id, LTI_TOOL_STATE_REJECTED);
- redirect($redirect);
-
-} else if ($action == 'delete') {
- lti_delete_type($id);
+} else if ($form->is_cancelled()) {
redirect($redirect);
}
-// print header stuff
-$PAGE->set_focuscontrol($focus);
-if (empty($SITE->fullname)) {
- $PAGE->set_title($settingspage->visiblename);
- $PAGE->set_heading($settingspage->visiblename);
-
- $PAGE->navbar->add(get_string('lti_administration', 'lti'), $CFG->wwwroot.'/admin/settings.php?section=modsettinglti');
-
- echo $OUTPUT->header();
-
- echo $OUTPUT->box(get_string('configintrosite', 'admin'));
-
- if ($errormsg !== '') {
- echo $OUTPUT->notification($errormsg);
-
- } else if ($statusmsg !== '') {
- echo $OUTPUT->notification($statusmsg, 'notifysuccess');
- }
-
- echo '<form action="typesettings.php" method="post" id="'.$id.'" >';
- echo '<div class="settingsform clearfix">';
- echo html_writer::input_hidden_params($PAGE->url);
- echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
- echo '<input type="hidden" name="return" value="'.$return.'" />';
-
- echo $settingspage->output_html();
-
- echo '<div class="form-buttons"><input class="form-submit" type="submit" value="'.get_string('savechanges', 'admin').'" /></div>';
-
- echo '</div>';
- echo '</form>';
-
-} else {
- if ($PAGE->user_allowed_editing()) {
- $url = clone($PAGE->url);
- if ($PAGE->user_is_editing()) {
- $caption = get_string('blockseditoff');
- $url->param('adminedit', 'off');
- } else {
- $caption = get_string('blocksediton');
- $url->param('adminedit', 'on');
- }
- $buttons = $OUTPUT->single_button($url, $caption, 'get');
- }
-
- $PAGE->set_title("$SITE->shortname: " . get_string('toolsetup', 'lti'));
-
- $PAGE->navbar->add(get_string('lti_administration', 'lti'), $CFG->wwwroot.'/admin/settings.php?section=modsettinglti');
+$PAGE->set_title("$SITE->shortname: " . get_string('toolsetup', 'lti'));
+$PAGE->navbar->add(get_string('lti_administration', 'lti'), $CFG->wwwroot.'/admin/settings.php?section=modsettinglti');
- echo $OUTPUT->header();
-
- if ($errormsg !== '') {
- echo $OUTPUT->notification($errormsg);
-
- } else if ($statusmsg !== '') {
- echo $OUTPUT->notification($statusmsg, 'notifysuccess');
- }
-
- echo $OUTPUT->heading(get_string('toolsetup', 'lti'));
- echo $OUTPUT->box_start('generalbox');
- if ($action == 'add') {
- $form = new mod_lti_edit_types_form($pageurl, (object)array('isadmin' => true));
- $form->display();
- } else if ($action == 'update') {
- $form = new mod_lti_edit_types_form('typessettings.php?id='.$id, (object)array('isadmin' => true));
- $type = lti_get_type_type_config($id);
- $form->set_data($type);
- $form->display();
- }
+echo $OUTPUT->header();
+echo $OUTPUT->heading(get_string('toolsetup', 'lti'));
+echo $OUTPUT->box_start('generalbox');
- echo $OUTPUT->box_end();
+if ($action == 'update') {
+ $type = lti_get_type_type_config($id);
+ $form->set_data($type);
}
+$form->display();
+echo $OUTPUT->box_end();
echo $OUTPUT->footer();
--
1.7.10.4
>From a36b416641543c0cb267f2b88fba30206f1df2bd Mon Sep 17 00:00:00 2001
From: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
Date: Wed, 20 Jun 2012 17:02:00 +0100
Subject: [PATCH 8/8] MDL-33916 Ensure that capabilities are checked for
cached user enrolments
---
lib/accesslib.php | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/accesslib.php b/lib/accesslib.php
index dd7f5b0..084c4d5 100644
--- a/lib/accesslib.php
+++ b/lib/accesslib.php
@@ -1935,6 +1935,9 @@ function is_enrolled(context $context, $user = null, $withcapability = '', $only
$coursecontext->reload_if_dirty();
if (isset($USER->enrol['enrolled'][$coursecontext->instanceid])) {
if ($USER->enrol['enrolled'][$coursecontext->instanceid] > time()) {
+ if ($withcapability and !has_capability($withcapability, $context, $userid)) {
+ return false;
+ }
return true;
}
}
--
1.7.10.4
Reply to: