Bug#691142: pu: package moodle/1.9.9.dfsg2-2.1+squeeze4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi dear Release Team,
upon ping from Jonathan Wiltshire on #682203, here I am with a proposed stable
update for moodle. The changelog entry would be:
moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low
* Minor security updates.
* Backporting security fixes from MOODLE_19_STABLE:
- CVE-2012-1155 - MSA-12-0013: database activity module entries exporting
does not respect separate groups (Closes: #668411).
- CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE.
- CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar.
- CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works
for roles preventing calendar entry. (Closes: #674163)
debdiff and separate patches are attached; they are cherry-picks + quilt
refresh'es of upstream patches in the MOODLE_19_STABLE branch.
FYI, I started to backport the fix for CVE-2012-3398, but I'm not sure it'll
lead to an upload as the fix is quite invasive and doesn't apply cleanly on
the 1.9.9 codebase. Help welcome.
Cheers,
OdyX
diff -Nru moodle-1.9.9.dfsg2/debian/changelog moodle-1.9.9.dfsg2/debian/changelog
--- moodle-1.9.9.dfsg2/debian/changelog 2012-02-29 20:45:39.000000000 +0100
+++ moodle-1.9.9.dfsg2/debian/changelog 2012-10-22 08:10:11.000000000 +0200
@@ -1,3 +1,16 @@
+moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low
+
+ * Minor security updates.
+ * Backporting security fixes from MOODLE_19_STABLE:
+ - CVE-2012-1155 - MSA-12-0013: database activity module entries exporting
+ does not respect separate groups (Closes: #668411).
+ - CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE.
+ - CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar.
+ - CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works
+ for roles preventing calendar entry. (Closes: #674163)
+
+ -- Didier Raboud <odyx@debian.org> Sun, 21 Oct 2012 14:16:11 +0200
+
moodle (1.9.9.dfsg2-2.1+squeeze3) stable-security; urgency=low
* Security update based on unstable:
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013
--- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 1970-01-01 01:00:00.000000000 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 2012-10-21 14:34:54.000000000 +0200
@@ -0,0 +1,45 @@
+commit 312ada2856cfb79d03ac6effe11dd750f2aa67f0
+Author: Adrian Greeve <adrian@moodle.com>
+Date: Tue Jan 31 12:09:30 2012 +0800
+
+ MDL-25185 - data - Allowing data from the database to be exported according to group roles.
+
+diff --git a/mod/data/export.php b/mod/data/export.php
+index 6ac914e..edea566 100644
+--- a/mod/data/export.php
++++ b/mod/data/export.php
+@@ -60,6 +60,7 @@ if($mform->is_cancelled()) {
+ print_header_simple($data->name, '', $nav,
+ '', '', true, update_module_button($cm->id, $course->id, get_string('modulename', 'data')),
+ navmenu($course, $cm), '', '');
++ groups_print_activity_menu($cm, "$CFG->wwwroot/mod/data/export.php?d=$d");
+ print_heading(format_string($data->name));
+
+ // these are for the tab display
+@@ -83,13 +84,25 @@ foreach($fields as $key => $field) {
+ $exportdata[0][] = $field->field->name;
+ }
+ }
++$groupid = groups_get_activity_group($cm);
+
+ $datarecords = get_records('data_records', 'dataid', $data->id);
+ ksort($datarecords);
+ $line = 1;
+ foreach($datarecords as $record) {
+ // get content indexed by fieldid
+- if( $content = get_records('data_content', 'recordid', $record->id, 'fieldid', 'fieldid, content, content1, content2, content3, content4') ) {
++ if($groupid) {
++ $select = "SELECT c.fieldid, c.content, c.content1, c.content2, c.content3, c.content4
++ FROM {$CFG->prefix}data_content c, {$CFG->prefix}data_records r
++ WHERE c.recordid = $record->id
++ AND r.id = c.recordid
++ AND r.groupid = $groupid";
++ } else {
++ $select = "SELECT fieldid, content, content1, content2, content3, content4
++ FROM {$CFG->prefix}data_content
++ WHERE recordid = $record->id";
++ }
++ if( $content = get_records_sql($select) ) {
+ foreach($fields as $field) {
+ $contents = '';
+ if(isset($content[$field->field->id])) {
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033
--- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 1970-01-01 01:00:00.000000000 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 2012-10-21 14:48:44.000000000 +0200
@@ -0,0 +1,45 @@
+commit 038131c8b5614f18c14d964dc53b6960ae6c30d8
+Author: Rajesh Taneja <rajesh@moodle.com>
+Date: Mon Mar 26 11:54:01 2012 +1300
+
+ MDL-31745 blog: Fixed up encoding issue within blog
+
+--- a/blog/lib.php
++++ b/blog/lib.php
+@@ -672,7 +672,7 @@
+ $querystring = '';
+ foreach($_GET as $var => $val) {
+ $var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631
+- $val = clean_param($val, PARAM_CLEAN);
++ $val = urlencode(clean_param($val, PARAM_CLEAN));
+ if(!$first) {
+ $first = true;
+ if ($var != 'filterselect' && $var != 'filtertype') {
+@@ -683,13 +683,13 @@
+ }
+ } else {
+ if ($var != 'filterselect' && $var != 'filtertype') {
+- $querystring .= '&'.$var.'='.$val;
++ $querystring .= '&'.$var.'='.$val;
+ $hasparam = true;
+ }
+ }
+ }
+ if (isset($hasparam)) {
+- $querystring .= '&';
++ $querystring .= '&';
+ } else {
+ $querystring = '?';
+ }
+@@ -697,9 +697,8 @@
+ $querystring = '?';
+ }
+
+- return strip_querystring(qualified_me()) . $querystring. 'filtertype='.
+- $filtertype.'&filterselect='.$filterselect.'&';
+-
++ return s(strip_querystring(qualified_me()) . $querystring. 'filtertype='.
++ $filtertype.'&filterselect='.$filterselect.'&', true);
+ }
+
+ /**
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034
--- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 1970-01-01 01:00:00.000000000 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 2012-10-21 14:44:38.000000000 +0200
@@ -0,0 +1,184 @@
+commit db52f45c688afb3b4d7a3f701d40182ccc3a81bc
+Author: Rajesh Taneja <rajesh@moodle.com>
+Date: Tue Apr 10 17:50:58 2012 +1200
+
+ MDL-31746 calendar: Fixed up validation inconsistencies when creating/editing an event
+
+diff --git a/calendar/event.php b/calendar/event.php
+index 5325aa4..bec568c 100644
+--- a/calendar/event.php
++++ b/calendar/event.php
+@@ -103,6 +103,7 @@
+ }
+
+ $form = null;
++ $err = array();
+
+ switch($action) {
+ case 'delete':
+@@ -129,23 +130,7 @@
+ }
+
+ if($form = data_submitted() and confirm_sesskey()) {
+-
+- $form->name = clean_param(strip_tags($form->name,'<lang><span>'), PARAM_CLEAN);
+-
+- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
+- if($form->duration == 1) {
+- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
+- if($form->timeduration < 0) {
+- $form->timeduration = 0;
+- }
+- }
+- else if($form->duration == 2) {
+- $form->timeduration = $form->minutes * MINSECS;
+- }
+- else {
+- $form->timeduration = 0;
+- }
+-
++ // validate form and set error if any.
+ validate_form($form, $err);
+
+ if (count($err) == 0) {
+@@ -194,27 +179,13 @@
+ $title = get_string('newevent', 'calendar');
+ $form = data_submitted();
+ if(!empty($form) && !empty($form->name) && confirm_sesskey()) {
+-
+- $form->name = clean_text(strip_tags($form->name, '<lang><span>'));
+-
+- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
+- if($form->duration == 1) {
+- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
+- if($form->timeduration < 0) {
+- $form->timeduration = 0;
+- }
+- }
+- else if ($form->duration == 2) {
+- $form->timeduration = $form->minutes * MINSECS;
+- }
+- else {
+- $form->timeduration = 0;
+- }
+- if(!calendar_add_event_allowed($form)) {
+- error('You are not authorized to do this');
+- }
++ // validate form and set error if any.
+ validate_form($form, $err);
++
+ if (count($err) == 0) {
++ if (!calendar_add_event_allowed($form)) {
++ error('You are not authorized to do this');
++ }
+ $form->timemodified = time();
+
+ /// Get the event id for the log record.
+@@ -568,11 +539,44 @@
+
+
+ function validate_form(&$form, &$err) {
++ $cleanform = new stdClass();
++ //first clean the form values
++ $cleanform->name = clean_param(strip_tags(trim($form->name), '<lang><span>'),PARAM_CLEAN);
++ $cleanform->description = addslashes(clean_param($form->description, PARAM_CLEANHTML));
++ $cleanform->duration = clean_param($form->duration, PARAM_INT);
++ $cleanform->startmon = clean_param($form->startmon, PARAM_INT);
++ $cleanform->startday = clean_param($form->startday, PARAM_INT);
++ $cleanform->startyr = clean_param($form->startyr, PARAM_INT);
++ $cleanform->starthr = clean_param($form->starthr, PARAM_INT);
++ $cleanform->startmin = clean_param($form->startmin, PARAM_INT);
++ $cleanform->endmon = clean_param($form->endmon, PARAM_INT);
++ $cleanform->endday = clean_param($form->endday, PARAM_INT);
++ $cleanform->endyr = clean_param($form->endyr, PARAM_INT);
++ $cleanform->endhr = clean_param($form->endhr, PARAM_INT);
++ $cleanform->endmin = clean_param($form->endmin, PARAM_INT);
++ $cleanform->minutes = clean_param($form->minutes, PARAM_INT);
++ $cleanform->courseid = clean_param($form->courseid, PARAM_INT);
++ $cleanform->format = clean_param($form->format, PARAM_INT);
++ $cleanform->course = clean_param($form->course, PARAM_INT);
++ $cleanform->action = clean_param($form->action, PARAM_ALPHA);
++
++ // These values are only required for new event.
++ if ($cleanform->action === 'new') {
++ $cleanform->repeat = clean_param($form->repeat, PARAM_INT);
++ $cleanform->repeats = clean_param($form->repeats, PARAM_INT);
++ $cleanform->groupid = clean_param($form->groupid, PARAM_INT);
++ $cleanform->userid = clean_param($form->userid, PARAM_INT);
++ $cleanform->modulename = clean_param($form->modulename, PARAM_SAFEDIR);
++ $cleanform->eventtype = clean_param($form->eventtype, PARAM_ALPHA);
++ $cleanform->instance = clean_param($form->instance, PARAM_INT);
++ $cleanform->type = clean_param($form->type, PARAM_ALPHA);
++ } else {
++ $cleanform->id = clean_param($form->id, PARAM_INT);
++ }
++ // set form with clean and valid values only.
++ $form = $cleanform;
+
+- $form->name = trim($form->name);
+- $form->description = trim($form->description);
+-
+- if(empty($form->name)) {
++ if (empty($form->name)) {
+ $err['name'] = get_string('errornoeventname', 'calendar');
+ }
+ /* Allow events without a description
+@@ -580,28 +584,53 @@ function validate_form(&$form, &$err) {
+ $err['description'] = get_string('errornodescription', 'calendar');
+ }
+ */
+- if(!checkdate($form->startmon, $form->startday, $form->startyr)) {
++ if (!checkdate($form->startmon, $form->startday, $form->startyr)) {
+ $err['timestart'] = get_string('errorinvaliddate', 'calendar');
+ }
+- if($form->duration == 2 and !checkdate($form->endmon, $form->endday, $form->endyr)) {
++ if ($form->duration == 1 and !checkdate($form->endmon, $form->endday, $form->endyr)) {
+ $err['timeduration'] = get_string('errorinvaliddate', 'calendar');
+ }
+- if($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) {
++ if ($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) {
+ $err['minutes'] = get_string('errorinvalidminutes', 'calendar');
+ }
+ if (!empty($form->repeat) and !($form->repeats > 1 and $form->repeats < 100)) {
+ $err['repeats'] = get_string('errorinvalidrepeats', 'calendar');
+ }
+- if(!empty($form->courseid)) {
++
++ // set start time and duration
++ $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
++ if ($form->duration == 1) {
++ $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
++ // Duration should be set for time in future.
++ if ($form->timeduration <= 0) {
++ $err['timeduration'] = get_string('errorinvaliddate', 'calendar');
++ $form->timeduration = 0;
++ }
++ }
++ else if ($form->duration == 2) {
++ $form->timeduration = $form->minutes * MINSECS;
++ }
++ else {
++ $form->timeduration = 0;
++ }
++
++ if (!empty($form->courseid)) {
+ // Timestamps must be >= course startdate
+ $course = get_record('course', 'id', $form->courseid);
+- if($course === false) {
++ if ($course === false) {
+ error('Event belongs to invalid course');
+ }
+ else if($form->timestart < $course->startdate) {
+ $err['timestart'] = get_string('errorbeforecoursestart', 'calendar');
+ }
+ }
++ if (!empty($form->modulename)) {
++ // Check that passed modulename actually exists (possible SQL Injection route)
++ $module = get_record('modules', 'name', $form->modulename);
++ if ($module === false) {
++ error('Invalid module name');
++ }
++ }
+ }
+
+ function calendar_add_event_allowed($event) {
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038
--- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 1970-01-01 01:00:00.000000000 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 2012-10-21 14:50:28.000000000 +0200
@@ -0,0 +1,18 @@
+commit 4928e13799ad344bc7babba93a28ae77a830080f
+Author: Rossiani Wijaya <rwijaya@moodle.com>
+Date: Mon Apr 30 17:07:15 2012 +0800
+
+ MDL-18335 calendar event: fixed role capability checking to create new event
+
+diff --git a/calendar/lib.php b/calendar/lib.php
+index 7c575d4..a927b6b 100644
+--- a/calendar/lib.php
++++ b/calendar/lib.php
+@@ -1582,6 +1582,7 @@ function calendar_get_allowed_types(&$allowed) {
+ if(!empty($SESSION->cal_course_referer) && $SESSION->cal_course_referer != SITEID) {
+ $course = get_record('course', 'id', $SESSION->cal_course_referer);
+ $coursecontext = get_context_instance(CONTEXT_COURSE, $SESSION->cal_course_referer);
++ $allowed->user = has_capability('moodle/calendar:manageownentries', $coursecontext);
+
+ if(has_capability('moodle/calendar:manageentries', $coursecontext)) {
+ $allowed->courses = array($course->id => 1);
diff -Nru moodle-1.9.9.dfsg2/debian/patches/series moodle-1.9.9.dfsg2/debian/patches/series
--- moodle-1.9.9.dfsg2/debian/patches/series 2012-02-29 20:43:19.000000000 +0100
+++ moodle-1.9.9.dfsg2/debian/patches/series 2012-10-22 08:05:31.000000000 +0200
@@ -32,3 +32,7 @@
MSA-12-0005
MSA-12-0006
MSA-12-0007
+MSA-12-0013
+MSA-12-0033
+MSA-12-0034
+MSA-12-0038
commit 312ada2856cfb79d03ac6effe11dd750f2aa67f0
Author: Adrian Greeve <adrian@moodle.com>
Date: Tue Jan 31 12:09:30 2012 +0800
MDL-25185 - data - Allowing data from the database to be exported according to group roles.
diff --git a/mod/data/export.php b/mod/data/export.php
index 6ac914e..edea566 100644
--- a/mod/data/export.php
+++ b/mod/data/export.php
@@ -60,6 +60,7 @@ if($mform->is_cancelled()) {
print_header_simple($data->name, '', $nav,
'', '', true, update_module_button($cm->id, $course->id, get_string('modulename', 'data')),
navmenu($course, $cm), '', '');
+ groups_print_activity_menu($cm, "$CFG->wwwroot/mod/data/export.php?d=$d");
print_heading(format_string($data->name));
// these are for the tab display
@@ -83,13 +84,25 @@ foreach($fields as $key => $field) {
$exportdata[0][] = $field->field->name;
}
}
+$groupid = groups_get_activity_group($cm);
$datarecords = get_records('data_records', 'dataid', $data->id);
ksort($datarecords);
$line = 1;
foreach($datarecords as $record) {
// get content indexed by fieldid
- if( $content = get_records('data_content', 'recordid', $record->id, 'fieldid', 'fieldid, content, content1, content2, content3, content4') ) {
+ if($groupid) {
+ $select = "SELECT c.fieldid, c.content, c.content1, c.content2, c.content3, c.content4
+ FROM {$CFG->prefix}data_content c, {$CFG->prefix}data_records r
+ WHERE c.recordid = $record->id
+ AND r.id = c.recordid
+ AND r.groupid = $groupid";
+ } else {
+ $select = "SELECT fieldid, content, content1, content2, content3, content4
+ FROM {$CFG->prefix}data_content
+ WHERE recordid = $record->id";
+ }
+ if( $content = get_records_sql($select) ) {
foreach($fields as $field) {
$contents = '';
if(isset($content[$field->field->id])) {
commit 038131c8b5614f18c14d964dc53b6960ae6c30d8
Author: Rajesh Taneja <rajesh@moodle.com>
Date: Mon Mar 26 11:54:01 2012 +1300
MDL-31745 blog: Fixed up encoding issue within blog
--- a/blog/lib.php
+++ b/blog/lib.php
@@ -672,7 +672,7 @@
$querystring = '';
foreach($_GET as $var => $val) {
$var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631
- $val = clean_param($val, PARAM_CLEAN);
+ $val = urlencode(clean_param($val, PARAM_CLEAN));
if(!$first) {
$first = true;
if ($var != 'filterselect' && $var != 'filtertype') {
@@ -683,13 +683,13 @@
}
} else {
if ($var != 'filterselect' && $var != 'filtertype') {
- $querystring .= '&'.$var.'='.$val;
+ $querystring .= '&'.$var.'='.$val;
$hasparam = true;
}
}
}
if (isset($hasparam)) {
- $querystring .= '&';
+ $querystring .= '&';
} else {
$querystring = '?';
}
@@ -697,9 +697,8 @@
$querystring = '?';
}
- return strip_querystring(qualified_me()) . $querystring. 'filtertype='.
- $filtertype.'&filterselect='.$filterselect.'&';
-
+ return s(strip_querystring(qualified_me()) . $querystring. 'filtertype='.
+ $filtertype.'&filterselect='.$filterselect.'&', true);
}
/**
commit db52f45c688afb3b4d7a3f701d40182ccc3a81bc
Author: Rajesh Taneja <rajesh@moodle.com>
Date: Tue Apr 10 17:50:58 2012 +1200
MDL-31746 calendar: Fixed up validation inconsistencies when creating/editing an event
diff --git a/calendar/event.php b/calendar/event.php
index 5325aa4..bec568c 100644
--- a/calendar/event.php
+++ b/calendar/event.php
@@ -103,6 +103,7 @@
}
$form = null;
+ $err = array();
switch($action) {
case 'delete':
@@ -129,23 +130,7 @@
}
if($form = data_submitted() and confirm_sesskey()) {
-
- $form->name = clean_param(strip_tags($form->name,'<lang><span>'), PARAM_CLEAN);
-
- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
- if($form->duration == 1) {
- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
- if($form->timeduration < 0) {
- $form->timeduration = 0;
- }
- }
- else if($form->duration == 2) {
- $form->timeduration = $form->minutes * MINSECS;
- }
- else {
- $form->timeduration = 0;
- }
-
+ // validate form and set error if any.
validate_form($form, $err);
if (count($err) == 0) {
@@ -194,27 +179,13 @@
$title = get_string('newevent', 'calendar');
$form = data_submitted();
if(!empty($form) && !empty($form->name) && confirm_sesskey()) {
-
- $form->name = clean_text(strip_tags($form->name, '<lang><span>'));
-
- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
- if($form->duration == 1) {
- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
- if($form->timeduration < 0) {
- $form->timeduration = 0;
- }
- }
- else if ($form->duration == 2) {
- $form->timeduration = $form->minutes * MINSECS;
- }
- else {
- $form->timeduration = 0;
- }
- if(!calendar_add_event_allowed($form)) {
- error('You are not authorized to do this');
- }
+ // validate form and set error if any.
validate_form($form, $err);
+
if (count($err) == 0) {
+ if (!calendar_add_event_allowed($form)) {
+ error('You are not authorized to do this');
+ }
$form->timemodified = time();
/// Get the event id for the log record.
@@ -568,11 +539,44 @@
function validate_form(&$form, &$err) {
+ $cleanform = new stdClass();
+ //first clean the form values
+ $cleanform->name = clean_param(strip_tags(trim($form->name), '<lang><span>'),PARAM_CLEAN);
+ $cleanform->description = addslashes(clean_param($form->description, PARAM_CLEANHTML));
+ $cleanform->duration = clean_param($form->duration, PARAM_INT);
+ $cleanform->startmon = clean_param($form->startmon, PARAM_INT);
+ $cleanform->startday = clean_param($form->startday, PARAM_INT);
+ $cleanform->startyr = clean_param($form->startyr, PARAM_INT);
+ $cleanform->starthr = clean_param($form->starthr, PARAM_INT);
+ $cleanform->startmin = clean_param($form->startmin, PARAM_INT);
+ $cleanform->endmon = clean_param($form->endmon, PARAM_INT);
+ $cleanform->endday = clean_param($form->endday, PARAM_INT);
+ $cleanform->endyr = clean_param($form->endyr, PARAM_INT);
+ $cleanform->endhr = clean_param($form->endhr, PARAM_INT);
+ $cleanform->endmin = clean_param($form->endmin, PARAM_INT);
+ $cleanform->minutes = clean_param($form->minutes, PARAM_INT);
+ $cleanform->courseid = clean_param($form->courseid, PARAM_INT);
+ $cleanform->format = clean_param($form->format, PARAM_INT);
+ $cleanform->course = clean_param($form->course, PARAM_INT);
+ $cleanform->action = clean_param($form->action, PARAM_ALPHA);
+
+ // These values are only required for new event.
+ if ($cleanform->action === 'new') {
+ $cleanform->repeat = clean_param($form->repeat, PARAM_INT);
+ $cleanform->repeats = clean_param($form->repeats, PARAM_INT);
+ $cleanform->groupid = clean_param($form->groupid, PARAM_INT);
+ $cleanform->userid = clean_param($form->userid, PARAM_INT);
+ $cleanform->modulename = clean_param($form->modulename, PARAM_SAFEDIR);
+ $cleanform->eventtype = clean_param($form->eventtype, PARAM_ALPHA);
+ $cleanform->instance = clean_param($form->instance, PARAM_INT);
+ $cleanform->type = clean_param($form->type, PARAM_ALPHA);
+ } else {
+ $cleanform->id = clean_param($form->id, PARAM_INT);
+ }
+ // set form with clean and valid values only.
+ $form = $cleanform;
- $form->name = trim($form->name);
- $form->description = trim($form->description);
-
- if(empty($form->name)) {
+ if (empty($form->name)) {
$err['name'] = get_string('errornoeventname', 'calendar');
}
/* Allow events without a description
@@ -580,28 +584,53 @@ function validate_form(&$form, &$err) {
$err['description'] = get_string('errornodescription', 'calendar');
}
*/
- if(!checkdate($form->startmon, $form->startday, $form->startyr)) {
+ if (!checkdate($form->startmon, $form->startday, $form->startyr)) {
$err['timestart'] = get_string('errorinvaliddate', 'calendar');
}
- if($form->duration == 2 and !checkdate($form->endmon, $form->endday, $form->endyr)) {
+ if ($form->duration == 1 and !checkdate($form->endmon, $form->endday, $form->endyr)) {
$err['timeduration'] = get_string('errorinvaliddate', 'calendar');
}
- if($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) {
+ if ($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) {
$err['minutes'] = get_string('errorinvalidminutes', 'calendar');
}
if (!empty($form->repeat) and !($form->repeats > 1 and $form->repeats < 100)) {
$err['repeats'] = get_string('errorinvalidrepeats', 'calendar');
}
- if(!empty($form->courseid)) {
+
+ // set start time and duration
+ $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin);
+ if ($form->duration == 1) {
+ $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart;
+ // Duration should be set for time in future.
+ if ($form->timeduration <= 0) {
+ $err['timeduration'] = get_string('errorinvaliddate', 'calendar');
+ $form->timeduration = 0;
+ }
+ }
+ else if ($form->duration == 2) {
+ $form->timeduration = $form->minutes * MINSECS;
+ }
+ else {
+ $form->timeduration = 0;
+ }
+
+ if (!empty($form->courseid)) {
// Timestamps must be >= course startdate
$course = get_record('course', 'id', $form->courseid);
- if($course === false) {
+ if ($course === false) {
error('Event belongs to invalid course');
}
else if($form->timestart < $course->startdate) {
$err['timestart'] = get_string('errorbeforecoursestart', 'calendar');
}
}
+ if (!empty($form->modulename)) {
+ // Check that passed modulename actually exists (possible SQL Injection route)
+ $module = get_record('modules', 'name', $form->modulename);
+ if ($module === false) {
+ error('Invalid module name');
+ }
+ }
}
function calendar_add_event_allowed($event) {
commit 4928e13799ad344bc7babba93a28ae77a830080f
Author: Rossiani Wijaya <rwijaya@moodle.com>
Date: Mon Apr 30 17:07:15 2012 +0800
MDL-18335 calendar event: fixed role capability checking to create new event
diff --git a/calendar/lib.php b/calendar/lib.php
index 7c575d4..a927b6b 100644
--- a/calendar/lib.php
+++ b/calendar/lib.php
@@ -1582,6 +1582,7 @@ function calendar_get_allowed_types(&$allowed) {
if(!empty($SESSION->cal_course_referer) && $SESSION->cal_course_referer != SITEID) {
$course = get_record('course', 'id', $SESSION->cal_course_referer);
$coursecontext = get_context_instance(CONTEXT_COURSE, $SESSION->cal_course_referer);
+ $allowed->user = has_capability('moodle/calendar:manageownentries', $coursecontext);
if(has_capability('moodle/calendar:manageentries', $coursecontext)) {
$allowed->courses = array($course->id => 1);
Reply to: