[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#689386: unblock: moodle/2.2.3.dfsg-2.3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package moodle

This version fixes the security bug #687924 and the following CVEs:

CVE-2012-4400
CVE-2012-4401
CVE-2012-4402
CVE-2012-4407
CVE-2012-4408

This is the changelog entry:

  moodle (2.2.3.dfsg-2.3) unstable; urgency=low

  * Non-maintainer upload.

  * Backport multiple security issues from upstream's MOODLE_22_STABLE
    branch. (Closes: #687924)
    - MSA-12-0051: MDL-30792 - File upload size constraint issue
      Fixes CVE-2012-4400
    - MSA-12-0052: MDL-28207 - Course topics permission issue
      Fixes CVE-2012-4401
    - MSA-12-0053: MDL-34585 - Blog file access issue
      Fixes CVE-2012-4407
    - MSA-12-0054: MDL-34519 - Course reset permission issue
      Fixes CVE-2012-4408
    - MSA-12-0055: MDL-34368 - Web service access token issue
      Fixes CVE-2012-4402

   -- Didier Raboud <odyx@debian.org>  Fri, 28 Sep 2012 12:52:21 +0200

And (as the only diff are new patches in debian/patches) the patches are attached.

Cheers,

OdyX

unblock moodle/2.2.3.dfsg-2.3

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

>From ebf253af171efbc5ff3a0074538c85a5edcb2ee2 Mon Sep 17 00:00:00 2001
From: Rajesh Taneja <rajesh@moodle.com>
Date: Fri, 3 Aug 2012 11:44:20 +0800
Subject: [PATCH] MDL-30792 Files API: maxbytes will be set by
 get_max_upload_file_size if less then 0 or greater then max
 moodle limit

---
 repository/filepicker.php      |    4 ++--
 repository/repository_ajax.php |    8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/repository/filepicker.php b/repository/filepicker.php
index 68aee10..610ef13 100644
--- a/repository/filepicker.php
+++ b/repository/filepicker.php
@@ -93,9 +93,9 @@ if ($repository = $DB->get_record_sql($sql, array($repo_id))) {
     }
 }
 
-$moodle_maxbytes = get_max_upload_file_size();
+$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $course->maxbytes);
 // to prevent maxbytes greater than moodle maxbytes setting
-if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) {
+if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) {
     $maxbytes = $moodle_maxbytes;
 }
 
diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php
index b7793c8..b7f76d1 100644
--- a/repository/repository_ajax.php
+++ b/repository/repository_ajax.php
@@ -83,9 +83,13 @@ if (!$repository = $DB->get_record_sql($sql, array($repo_id))) {
 /// Check permissions
 repository::check_capability($contextid, $repository);
 
-$moodle_maxbytes = get_max_upload_file_size();
+$coursemaxbytes = 0;
+if (!empty($course)) {
+   $coursemaxbytes = $course->maxbytes;
+}
+$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes);
 // to prevent maxbytes greater than moodle maxbytes setting
-if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) {
+if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) {
     $maxbytes = $moodle_maxbytes;
 }
 
-- 
1.7.10.4


>From 43bfb68de9bb2b3f849a1ebded1c2b8e7f738edc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20S=CC=8Ckoda?= <commits@skodak.org>
Date: Tue, 31 Jul 2012 16:02:54 +0200
Subject: [PATCH] MDL-34585 fix broken blog file access control

---
 lib/filelib.php |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/filelib.php b/lib/filelib.php
index 92565f9..ca20cd2 100644
--- a/lib/filelib.php
+++ b/lib/filelib.php
@@ -3230,15 +3230,15 @@ function file_pluginfile($relativepath, $forcedownload) {
             }
         }
 
-        if ('publishstate' === 'public') {
+        if ($entry->publishstate === 'public') {
             if ($CFG->forcelogin) {
                 require_login();
             }
 
-        } else if ('publishstate' === 'site') {
+        } else if ($entry->publishstate === 'site') {
             require_login();
             //ok
-        } else if ('publishstate' === 'draft') {
+        } else if ($entry->publishstate === 'draft') {
             require_login();
             if ($USER->id != $entry->userid) {
                 send_file_not_found();
-- 
1.7.10.4


>From f4ab33b25ff2013d8334303a06fde1800cd8cce0 Mon Sep 17 00:00:00 2001
From: Rex Lorenzo <rex@oid.ucla.edu>
Date: Tue, 24 Jul 2012 12:01:11 -0700
Subject: [PATCH] MDL-34519 - Course reset not protected by proper capability

---
 course/reset.php |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/course/reset.php b/course/reset.php
index cd0a66b..088c203 100644
--- a/course/reset.php
+++ b/course/reset.php
@@ -39,7 +39,7 @@ if (!$course = $DB->get_record('course', array('id'=>$id))) {
 $PAGE->set_url('/course/reset.php', array('id'=>$id));
 
 require_login($course);
-require_capability('moodle/course:update', get_context_instance(CONTEXT_COURSE, $course->id));
+require_capability('moodle/course:reset', get_context_instance(CONTEXT_COURSE, $course->id));
 
 $strreset       = get_string('reset');
 $strresetcourse = get_string('resetcourse');
-- 
1.7.10.4


>From 755dac1e2f3d82853ce12c91d36ee01f1b5501e2 Mon Sep 17 00:00:00 2001
From: Frederic Massart <fred@moodle.com>
Date: Tue, 31 Jul 2012 14:10:05 +0800
Subject: [PATCH] MDL-28207 Course: Showing/hiding/marking a section respect
 capabilities

---
 course/format/topics/format.php |   46 +++++++++++++++++++++------------------
 course/format/weeks/format.php  |   34 ++++++++++++++++-------------
 course/rest.php                 |    5 +++--
 course/view.php                 |    5 +++--
 4 files changed, 50 insertions(+), 40 deletions(-)

diff --git a/course/format/topics/format.php b/course/format/topics/format.php
index b8ce8f2..0c58c4d 100644
--- a/course/format/topics/format.php
+++ b/course/format/topics/format.php
@@ -186,29 +186,33 @@ while ($section <= $course->numsections) {
                  '<img src="'.$OUTPUT->pix_url('i/one') . '" class="icon" alt="'.$strshowonlytopic.'" /></a><br />';
         }
 
-        if ($PAGE->user_is_editing() && has_capability('moodle/course:update', get_context_instance(CONTEXT_COURSE, $course->id))) {
-
-            if ($course->marker == $section) {  // Show the "light globe" on/off
-                echo '<a href="view.php?id='.$course->id.'&amp;marker=0&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strmarkedthistopic.'">'.'<img src="'.$OUTPUT->pix_url('i/marked') . '" alt="'.$strmarkedthistopic.'" class="icon"/></a><br />';
-            } else {
-                echo '<a href="view.php?id='.$course->id.'&amp;marker='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strmarkthistopic.'">'.'<img src="'.$OUTPUT->pix_url('i/marker') . '" alt="'.$strmarkthistopic.'" class="icon"/></a><br />';
-            }
-
-            if ($thissection->visible) {        // Show the hide/show eye
-                echo '<a href="view.php?id='.$course->id.'&amp;hide='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strtopichide.'">'.
-                     '<img src="'.$OUTPUT->pix_url('i/hide') . '" class="icon hide" alt="'.$strtopichide.'" /></a><br />';
-            } else {
-                echo '<a href="view.php?id='.$course->id.'&amp;show='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strtopicshow.'">'.
-                     '<img src="'.$OUTPUT->pix_url('i/show') . '" class="icon hide" alt="'.$strtopicshow.'" /></a><br />';
+        $coursecontext = context_course::instance($course->id);
+        if ($PAGE->user_is_editing()) {
+            if (has_capability('moodle/course:setcurrentsection', $coursecontext)) {
+                if ($course->marker == $section) {  // Show the "light globe" on/off
+                    echo '<a href="view.php?id='.$course->id.'&amp;marker=0&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strmarkedthistopic.'">'.'<img src="'.$OUTPUT->pix_url('i/marked') . '" alt="'.$strmarkedthistopic.'" class="icon"/></a><br />';
+                } else {
+                    echo '<a href="view.php?id='.$course->id.'&amp;marker='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strmarkthistopic.'">'.'<img src="'.$OUTPUT->pix_url('i/marker') . '" alt="'.$strmarkthistopic.'" class="icon"/></a><br />';
+                }
             }
-            if ($section > 1) {                       // Add a arrow to move section up
-                echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=-1&amp;sesskey='.sesskey().'#section-'.($section-1).'" title="'.$strmoveup.'">'.
-                     '<img src="'.$OUTPUT->pix_url('t/up') . '" class="icon up" alt="'.$strmoveup.'" /></a><br />';
+            if (has_capability('moodle/course:sectionvisibility', $coursecontext)) {
+                if ($thissection->visible) {        // Show the hide/show eye
+                    echo '<a href="view.php?id='.$course->id.'&amp;hide='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strtopichide.'">'.
+                         '<img src="'.$OUTPUT->pix_url('i/hide') . '" class="icon hide" alt="'.$strtopichide.'" /></a><br />';
+                } else {
+                    echo '<a href="view.php?id='.$course->id.'&amp;show='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strtopicshow.'">'.
+                         '<img src="'.$OUTPUT->pix_url('i/show') . '" class="icon hide" alt="'.$strtopicshow.'" /></a><br />';
+                }
             }
-
-            if ($section < $course->numsections) {    // Add a arrow to move section down
-                echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=1&amp;sesskey='.sesskey().'#section-'.($section+1).'" title="'.$strmovedown.'">'.
-                     '<img src="'.$OUTPUT->pix_url('t/down') . '" class="icon down" alt="'.$strmovedown.'" /></a><br />';
+            if (has_capability('moodle/course:update', $coursecontext)) {
+                if ($section > 1) {                       // Add a arrow to move section up
+                    echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=-1&amp;sesskey='.sesskey().'#section-'.($section-1).'" title="'.$strmoveup.'">'.
+                         '<img src="'.$OUTPUT->pix_url('t/up') . '" class="icon up" alt="'.$strmoveup.'" /></a><br />';
+                }
+                if ($section < $course->numsections) {    // Add a arrow to move section down
+                    echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=1&amp;sesskey='.sesskey().'#section-'.($section+1).'" title="'.$strmovedown.'">'.
+                         '<img src="'.$OUTPUT->pix_url('t/down') . '" class="icon down" alt="'.$strmovedown.'" /></a><br />';
+                }
             }
         }
         echo '</div>';
diff --git a/course/format/weeks/format.php b/course/format/weeks/format.php
index c5c78fa..9ae93f1 100644
--- a/course/format/weeks/format.php
+++ b/course/format/weeks/format.php
@@ -192,22 +192,26 @@ defined('MOODLE_INTERNAL') || die();
                      '<img src="'.$OUTPUT->pix_url('i/one') . '" class="icon wkone" alt="'.$strshowonlyweek.'" /></a><br />';
             }
 
-            if ($PAGE->user_is_editing() && has_capability('moodle/course:update', get_context_instance(CONTEXT_COURSE, $course->id))) {
-                if ($thissection->visible) {        // Show the hide/show eye
-                    echo '<a href="view.php?id='.$course->id.'&amp;hide='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strweekhide.'">'.
-                         '<img src="'.$OUTPUT->pix_url('i/hide') . '" class="icon hide" alt="'.$strweekhide.'" /></a><br />';
-                } else {
-                    echo '<a href="view.php?id='.$course->id.'&amp;show='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strweekshow.'">'.
-                         '<img src="'.$OUTPUT->pix_url('i/show') . '" class="icon hide" alt="'.$strweekshow.'" /></a><br />';
-                }
-                if ($section > 1) {                       // Add a arrow to move section up
-                    echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=-1&amp;sesskey='.sesskey().'#section-'.($section-1).'" title="'.$strmoveup.'">'.
-                         '<img src="'.$OUTPUT->pix_url('t/up') . '" class="icon up" alt="'.$strmoveup.'" /></a><br />';
+            $coursecontext = context_course::instance($course->id);
+            if ($PAGE->user_is_editing()) {
+                if (has_capability('moodle/course:sectionvisibility', $coursecontext)) {
+                    if ($thissection->visible) {        // Show the hide/show eye
+                        echo '<a href="view.php?id='.$course->id.'&amp;hide='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strweekhide.'">'.
+                             '<img src="'.$OUTPUT->pix_url('i/hide') . '" class="icon hide" alt="'.$strweekhide.'" /></a><br />';
+                    } else {
+                        echo '<a href="view.php?id='.$course->id.'&amp;show='.$section.'&amp;sesskey='.sesskey().'#section-'.$section.'" title="'.$strweekshow.'">'.
+                             '<img src="'.$OUTPUT->pix_url('i/show') . '" class="icon hide" alt="'.$strweekshow.'" /></a><br />';
+                    }
                 }
-
-                if ($section < $course->numsections) {    // Add a arrow to move section down
-                    echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=1&amp;sesskey='.sesskey().'#section-'.($section+1).'" title="'.$strmovedown.'">'.
-                         '<img src="'.$OUTPUT->pix_url('t/down') . '" class="icon down" alt="'.$strmovedown.'" /></a><br />';
+                if (has_capability('moodle/course:update', $coursecontext)) {
+                    if ($section > 1) {                       // Add a arrow to move section up
+                        echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=-1&amp;sesskey='.sesskey().'#section-'.($section-1).'" title="'.$strmoveup.'">'.
+                             '<img src="'.$OUTPUT->pix_url('t/up') . '" class="icon up" alt="'.$strmoveup.'" /></a><br />';
+                    }
+                    if ($section < $course->numsections) {    // Add a arrow to move section down
+                        echo '<a href="view.php?id='.$course->id.'&amp;random='.rand(1,10000).'&amp;section='.$section.'&amp;move=1&amp;sesskey='.sesskey().'#section-'.($section+1).'" title="'.$strmovedown.'">'.
+                             '<img src="'.$OUTPUT->pix_url('t/down') . '" class="icon down" alt="'.$strmovedown.'" /></a><br />';
+                    }
                 }
             }
             echo '</div>';
diff --git a/course/rest.php b/course/rest.php
index 5125ffb..3f996a7 100644
--- a/course/rest.php
+++ b/course/rest.php
@@ -78,7 +78,6 @@ switch($requestmethod) {
             case 'section':
                 require_login($course);
                 $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
-                require_capability('moodle/course:update', $coursecontext);
 
                 if (!$DB->record_exists('course_sections', array('course'=>$course->id, 'section'=>$id))) {
                     error_log('AJAX commands.php: Bad Section ID '.$id);
@@ -87,10 +86,12 @@ switch($requestmethod) {
 
                 switch ($field) {
                     case 'visible':
+                        require_capability('moodle/course:sectionvisibility', $coursecontext);
                         set_section_visible($course->id, $id, $value);
                         break;
 
                     case 'move':
+                        require_capability('moodle/course:update', $coursecontext);
                         move_section_to($course, $id, $value);
                         break;
                 }
@@ -158,7 +159,7 @@ switch($requestmethod) {
                     case 'marker':
                         require_login($course);
                         $coursecontext = get_context_instance(CONTEXT_COURSE, $course->id);
-                        require_capability('moodle/course:update', $coursecontext);
+                        require_capability('moodle/course:setcurrentsection', $coursecontext);
                         course_set_marker($course->id, $value);
                         break;
                 }
diff --git a/course/view.php b/course/view.php
index 8b2621f..816265e 100644
--- a/course/view.php
+++ b/course/view.php
@@ -127,15 +127,16 @@
             }
         }
 
-        if (has_capability('moodle/course:update', $context)) {
+        if (has_capability('moodle/course:sectionvisibility', $context)) {
             if ($hide && confirm_sesskey()) {
                 set_section_visible($course->id, $hide, '0');
             }
-
             if ($show && confirm_sesskey()) {
                 set_section_visible($course->id, $show, '1');
             }
+        }
 
+        if (has_capability('moodle/course:update', $context)) {
             if (!empty($section)) {
                 if (!empty($move) and confirm_sesskey()) {
                     if (move_section($course, $section, $move)) {
-- 
1.7.10.4


>From 5678fd4794179522f30ba3993736f827eed5c656 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20S=CC=8Ckoda?= <commits@skodak.org>
Date: Wed, 1 Aug 2012 08:30:28 +0200
Subject: [PATCH] MDL-34368 fix another validuntil condition

---
 webservice/lib.php |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webservice/lib.php b/webservice/lib.php
index 998edd9..4c475da 100644
--- a/webservice/lib.php
+++ b/webservice/lib.php
@@ -1458,7 +1458,7 @@ abstract class webservice_base_server extends webservice_server {
                   FROM {external_services} s
                   JOIN {external_services_functions} sf ON (sf.externalserviceid = s.id AND s.restrictedusers = 1 AND sf.functionname = :name2)
                   JOIN {external_services_users} su ON (su.externalserviceid = s.id AND su.userid = :userid)
-                 WHERE s.enabled = 1 AND su.validuntil IS NULL OR su.validuntil < :now $wscond2";
+                 WHERE s.enabled = 1 AND (su.validuntil IS NULL OR su.validuntil < :now) $wscond2";
         $params = array_merge($params, array('userid'=>$USER->id, 'name1'=>$function->name, 'name2'=>$function->name, 'now'=>time()));
 
         $rs = $DB->get_recordset_sql($sql, $params);
-- 
1.7.10.4


>From af6df710114918fbdf51486bbcca8049a2e72cba Mon Sep 17 00:00:00 2001
From: Nathan Mares <nathan@catalyst-au.net>
Date: Tue, 17 Jul 2012 19:11:57 +1000
Subject: [PATCH] MDL-34368: Fix broken query in so tokens are correctly
 checked against the linked service

---
 webservice/lib.php |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webservice/lib.php b/webservice/lib.php
index 1861513..998edd9 100644
--- a/webservice/lib.php
+++ b/webservice/lib.php
@@ -979,7 +979,7 @@ abstract class webservice_zend_server extends webservice_server {
                   FROM {external_services} s
                   JOIN {external_services_functions} sf ON (sf.externalserviceid = s.id AND s.restrictedusers = 1)
                   JOIN {external_services_users} su ON (su.externalserviceid = s.id AND su.userid = :userid)
-                 WHERE s.enabled = 1 AND su.validuntil IS NULL OR su.validuntil < :now $wscond2";
+                 WHERE s.enabled = 1 AND (su.validuntil IS NULL OR su.validuntil < :now) $wscond2";
 
         $params = array_merge($params, array('userid'=>$USER->id, 'now'=>time()));
 
-- 
1.7.10.4


>From f7c9e3bb18e9e7fa06dff625042bf9572d709d45 Mon Sep 17 00:00:00 2001
From: Rajesh Taneja <rajesh@moodle.com>
Date: Fri, 3 Aug 2012 11:47:44 +0800
Subject: [PATCH] MDL-30792 Files API: Cleaner approach to get maxbytes size
 in filepicker

---
 lib/moodlelib.php              |    6 +++---
 repository/filepicker.php      |    7 ++-----
 repository/repository_ajax.php |    7 ++-----
 3 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 465226a..08b34ee 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -5728,15 +5728,15 @@ function get_max_upload_file_size($sitebytes=0, $coursebytes=0, $modulebytes=0)
         }
     }
 
-    if ($sitebytes and $sitebytes < $minimumsize) {
+    if (($sitebytes > 0) and ($sitebytes < $minimumsize)) {
         $minimumsize = $sitebytes;
     }
 
-    if ($coursebytes and $coursebytes < $minimumsize) {
+    if (($coursebytes > 0) and ($coursebytes < $minimumsize)) {
         $minimumsize = $coursebytes;
     }
 
-    if ($modulebytes and $modulebytes < $minimumsize) {
+    if (($modulebytes > 0) and ($modulebytes < $minimumsize)) {
         $minimumsize = $modulebytes;
     }
 
diff --git a/repository/filepicker.php b/repository/filepicker.php
index 610ef13..fa759c5 100644
--- a/repository/filepicker.php
+++ b/repository/filepicker.php
@@ -93,11 +93,8 @@ if ($repository = $DB->get_record_sql($sql, array($repo_id))) {
     }
 }
 
-$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $course->maxbytes);
-// to prevent maxbytes greater than moodle maxbytes setting
-if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) {
-    $maxbytes = $moodle_maxbytes;
-}
+// Make sure maxbytes passed is within site filesize limits.
+$maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes, $maxbytes);
 
 $params = array('ctx_id' => $contextid, 'itemid' => $itemid, 'env' => $env, 'course'=>$courseid, 'maxbytes'=>$maxbytes, 'maxfiles'=>$maxfiles, 'subdirs'=>$subdirs, 'sesskey'=>sesskey());
 $params['action'] = 'browse';
diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php
index b7f76d1..f8c9fe5 100644
--- a/repository/repository_ajax.php
+++ b/repository/repository_ajax.php
@@ -87,11 +87,8 @@ $coursemaxbytes = 0;
 if (!empty($course)) {
    $coursemaxbytes = $course->maxbytes;
 }
-$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes);
-// to prevent maxbytes greater than moodle maxbytes setting
-if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) {
-    $maxbytes = $moodle_maxbytes;
-}
+// Make sure maxbytes passed is within site filesize limits.
+$maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes, $maxbytes);
 
 /// Wait as long as it takes for this script to finish
 set_time_limit(0);
-- 
1.7.10.4
Reply to: