Bug#698245: unblock: moodle/2.2.3.dfsg-2.6~wheezy2
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package moodle
I am about to get new version of the package uploaded to
testing-proposed-updates. The new version fixes a security issues from
upstream release.
diff -Nru moodle-2.2.3.dfsg/debian/changelog
moodle-2.2.3.dfsg/debian/changelog
--- moodle-2.2.3.dfsg/debian/changelog 2012-12-31 18:26:26.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/changelog 2013-01-15 22:29:57.000000000 +0100
@@ -1,3 +1,17 @@
+moodle (2.2.3.dfsg-2.6~wheezy2) testing-proposed-updates; urgency=low
+
+ * Backport security issues from upstream Moodle 2.2.7.
+ * MSA-13-0009: MDL-37467 - blog posts available via RSS after
blogging disabled
+ * MSA-13-0007: MDL-36600 - course message sending CSRF
+ * MSA-13-0001: MDL-37283 - lack of sanitization for google spellchecker
+ * MSA-13-0003: MDL-36977 - moodle backup paths not validated properly
+ * MSA-13-0002: MDL-27619 - teachers can set outcomes to be standard
when re-editing
+ * MSA-13-0004: MDL-33340 - activity report showing lastaccess even
if field hidden
+ * MSA-13-0008: MDL-36620 - guest users can access RSS feed for site
level blogs
+ * MSA-13-0005: MDL-35991 - open redirect issues
+
+ -- Tomasz Muras <nexor1984@gmail.com> Tue, 15 Jan 2013 20:43:50 +0100
+
moodle (2.2.3.dfsg-2.6~wheezy1) testing-proposed-updates; urgency=low
* Fix possible security issue for curl in 3rd party libraries:
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch
---
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch
2013-01-14 22:35:55.000000000 +0100
@@ -0,0 +1,21 @@
+commit 8c27cc95349a6cce073651ebbff9b44394d4ecb7
+Author: Paul Nicholls <paul.nicholls@canterbury.ac.nz>
+Date: Mon Aug 13 12:51:30 2012 +1200
+
+ MDL-27619: Prevent teachers from turning course Outcomes into
site-wide ones
+
+ Similar to the issue which allowed teachers to create site-wide
scales by editing a course-specific scale (MDL-24682), teachers could
also promote a course-specific scale to a site-wide (standard) by
editing it. As with MDL-24682, removing the course ID check (leaving
just the capability check) prevents this unauthorised creation of
site-wide (standard) outcomes.
+
+diff --git a/grade/edit/outcome/edit_form.php
b/grade/edit/outcome/edit_form.php
+index 6c1893e..a283f40 100644
+--- a/grade/edit/outcome/edit_form.php
++++ b/grade/edit/outcome/edit_form.php
+@@ -114,7 +114,7 @@ class edit_outcome_form extends moodleform {
+ if (empty($courseid)) {
+ $mform->hardFreeze('standard');
+
+- } else if (empty($outcome->courseid) and
!has_capability('moodle/grade:manage',
get_context_instance(CONTEXT_SYSTEM))) {
++ } else if (!has_capability('moodle/grade:manage',
get_context_instance(CONTEXT_SYSTEM))) {
+ $mform->hardFreeze('standard');
+
+ } else if ($coursecount and empty($outcome->courseid)) {
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch
---
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch
2013-01-14 22:35:58.000000000 +0100
@@ -0,0 +1,21 @@
+commit 53459511a96871583f6ed21517372b9bf4cbd96a
+Author: Ankit Agarwal <ankit@moodle.com>
+Date: Mon Jun 25 14:10:42 2012 +0800
+
+ MDL-33340 completion: Incorrect logic in hidden field check
+
+ Credit to Jody Steele
+
+diff --git a/report/outline/index.php b/report/outline/index.php
+index c7abae3..7c82e66 100644
+--- a/report/outline/index.php
++++ b/report/outline/index.php
+@@ -42,7 +42,7 @@ add_to_log($course->id, 'course', 'report outline',
"report/outline/index.php?id
+ $showlastaccess = true;
+ $hiddenfields = explode(',', $CFG->hiddenuserfields);
+
+-if (array_search('lastaccess', $hiddenfields) and
!has_capability('moodle/user:viewhiddendetails', $context)) {
++if (array_search('lastaccess', $hiddenfields) !== false and
!has_capability('moodle/user:viewhiddendetails', $context)) {
+ $showlastaccess = false;
+ }
+
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch
moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch
---
moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0024-MDL-35991_1-open-redirect-issues.patch
2013-01-14 22:36:10.000000000 +0100
@@ -0,0 +1,81 @@
+commit b0f20bc995229d7f8eebf287759a2a2a65a2cbfa
+Author: Simon Coggins <simon.coggins@totaralms.com>
+Date: Mon Jan 7 10:09:20 2013 +0800
+
+ MDL-35991 - use PARAM_LOCALURL for local urls
+
+ Conflicts:
+ user/files.php
+
+diff --git a/backup/backupfilesedit.php b/backup/backupfilesedit.php
+index 0059bbc..67e72a0 100644
+--- a/backup/backupfilesedit.php
++++ b/backup/backupfilesedit.php
+@@ -33,7 +33,7 @@ $currentcontext = required_param('currentcontext',
PARAM_INT);
+ // file parameters
+ $component = optional_param('component', null, PARAM_COMPONENT);
+ $filearea = optional_param('filearea', null, PARAM_AREA);
+-$returnurl = optional_param('returnurl', null, PARAM_URL);
++$returnurl = optional_param('returnurl', null, PARAM_LOCALURL);
+
+ list($context, $course, $cm) = get_context_info_array($currentcontext);
+ $filecontext = get_context_instance_by_id($contextid);
+diff --git a/comment/comment_post.php b/comment/comment_post.php
+index 4e852b4..323a2da 100644
+--- a/comment/comment_post.php
++++ b/comment/comment_post.php
+@@ -34,7 +34,7 @@ $action = optional_param('action', '',
PARAM_ALPHA);
+ $area = optional_param('area', '', PARAM_AREA);
+ $content = optional_param('content', '', PARAM_RAW);
+ $itemid = optional_param('itemid', '', PARAM_INT);
+-$returnurl = optional_param('returnurl', '/', PARAM_URL);
++$returnurl = optional_param('returnurl', '/', PARAM_LOCALURL);
+ $component = optional_param('component', '', PARAM_COMPONENT);
+
+ // Currently this script can only add comments
+diff --git a/course/switchrole.php b/course/switchrole.php
+index 12cba20..dc387fb 100644
+--- a/course/switchrole.php
++++ b/course/switchrole.php
+@@ -35,7 +35,7 @@ require_once($CFG->dirroot.'/course/lib.php');
+
+ $id = required_param('id', PARAM_INT);
+ $switchrole = optional_param('switchrole',-1, PARAM_INT);
+-$returnurl = optional_param('returnurl', false, PARAM_URL);
++$returnurl = optional_param('returnurl', false, PARAM_LOCALURL);
+
+ $PAGE->set_url('/course/switchrole.php', array('id'=>$id));
+
+@@ -86,4 +86,4 @@ if ($returnurl === false) {
+ $returnurl = new moodle_url('/course/view.php', array('id' =>
$course->id));
+ }
+
+-redirect($returnurl);
+\ No newline at end of file
++redirect($returnurl);
+diff --git a/mod/wiki/filesedit.php b/mod/wiki/filesedit.php
+index 0982095..f9e27fc 100644
+--- a/mod/wiki/filesedit.php
++++ b/mod/wiki/filesedit.php
+@@ -31,7 +31,7 @@ require_once("$CFG->dirroot/repository/lib.php");
+ $subwikiid = required_param('subwiki', PARAM_INT);
+ // not being used for file management, we use it to generate navbar link
+ $pageid = optional_param('pageid', 0, PARAM_INT);
+-$returnurl = optional_param('returnurl', '', PARAM_URL);
++$returnurl = optional_param('returnurl', '', PARAM_LOCALURL);
+
+ if (!$subwiki = wiki_get_subwiki($subwikiid)) {
+ print_error('incorrectsubwikiid', 'wiki');
+diff --git a/tag/coursetags_add.php b/tag/coursetags_add.php
+index e5c316a..627e601 100644
+--- a/tag/coursetags_add.php
++++ b/tag/coursetags_add.php
+@@ -15,7 +15,7 @@ if (empty($CFG->usetags)) {
+ print_error('tagsaredisabled', 'tag');
+ }
+
+-$returnurl = optional_param('returnurl', null, PARAM_TEXT);
++$returnurl = optional_param('returnurl', null, PARAM_LOCALURL);
+ $keyword = optional_param('coursetag_new_tag', '', PARAM_TEXT);
+ $courseid = optional_param('entryid', 0, PARAM_INT);
+ $userid = optional_param('userid', 0, PARAM_INT);
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0025-MDL-35991_2-open-redirect-issues.patch
moodle-2.2.3.dfsg/debian/patches/0025-MDL-35991_2-open-redirect-issues.patch
---
moodle-2.2.3.dfsg/debian/patches/0025-MDL-35991_2-open-redirect-issues.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0025-MDL-35991_2-open-redirect-issues.patch
2013-01-14 22:36:10.000000000 +0100
@@ -0,0 +1,21 @@
+commit ac7efafb83b50b8c480a8a4a4097c3e7f75cd701
+Author: Dan Poltawski <dan@moodle.com>
+Date: Thu Jan 10 09:46:03 2013 +0800
+
+ MDL-35991 - fix incorrect returnurl type
+
+ good catch, Adrian!
+
+diff --git a/user/filesedit.php b/user/filesedit.php
+index afc4d16..ac1d0ef 100644
+--- a/user/filesedit.php
++++ b/user/filesedit.php
+@@ -32,7 +32,7 @@ if (isguestuser()) {
+ die();
+ }
+
+-$returnurl = optional_param('returnurl', '', PARAM_URL);
++$returnurl = optional_param('returnurl', '', PARAM_LOCALURL);
+
+ if (empty($returnurl)) {
+ $returnurl = new moodle_url('/user/filesedit.php');
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0026-MDL-36600_1-course-message-sending-can-be-exploited-by-CSRF.patch
moodle-2.2.3.dfsg/debian/patches/0026-MDL-36600_1-course-message-sending-can-be-exploited-by-CSRF.patch
---
moodle-2.2.3.dfsg/debian/patches/0026-MDL-36600_1-course-message-sending-can-be-exploited-by-CSRF.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0026-MDL-36600_1-course-message-sending-can-be-exploited-by-CSRF.patch
2013-01-14 22:35:42.000000000 +0100
@@ -0,0 +1,45 @@
+commit deaaa6f62f4ed3b8d9868ce8f8ce4b830f02af66
+Author: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
+Date: Wed Jan 9 09:23:07 2013 +1300
+
+ MDL-36600 user: improve course messaging checks
+
+diff --git a/user/message.html b/user/message.html
+index 6426111..9446751 100644
+--- a/user/message.html
++++ b/user/message.html
+@@ -1,5 +1,6 @@
+ <form id="theform" method="post" action="messageselect.php">
+ <input type="hidden" name="id" value="<?php p($id) ?>" />
++<input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
+ <input type="hidden" name="returnto" value="<?php p($returnto) ?>" />
+ <input type="hidden" name="deluser" value="" />
+ <?php echo $OUTPUT->box_start(); ?>
+diff --git a/user/messageselect.php b/user/messageselect.php
+index d54d26d..e7cca96 100644
+--- a/user/messageselect.php
++++ b/user/messageselect.php
+@@ -91,7 +91,7 @@ $messagebody = $SESSION->emailselect[$id]['messagebody'];
+
+ $count = 0;
+
+-if ($data = data_submitted()) {
++if (($data = data_submitted()) && confirm_sesskey()) {
+ foreach ($data as $k => $v) {
+ if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
+ if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
+@@ -136,12 +136,13 @@ if (!empty($messagebody) && !$edit && !$deluser
&& ($preview || $send)) {
+ <input type="hidden" name="returnto" value="'.s($returnto).'" />
+ <input type="hidden" name="id" value="'.$id.'" />
+ <input type="hidden" name="format" value="'.$format.'" />
++<input type="hidden" name="sesskey" value="' . sesskey() . '" />
+ ';
+ echo "<h3>".get_string('previewhtml')."</h3><div
class=\"messagepreview\">\n".format_text($messagebody,$format)."\n</div>\n";
+ echo '<p align="center"><input type="submit" name="send"
value="'.get_string('sendmessage', 'message').'" />'."\n";
+ echo '<input type="submit" name="edit"
value="'.get_string('update').'" /></p>';
+ echo "\n</form>";
+- } else if (!empty($send)) {
++ } else if (!empty($send) && require_sesskey()) {
+ $good = 1;
+ foreach ($SESSION->emailto[$id] as $user) {
+ $good = $good &&
message_post_message($USER,$user,$messagebody,$format);
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0027-MDL-36600_2-course-message-sending-can-be-exploited-by-CSRF.patch
moodle-2.2.3.dfsg/debian/patches/0027-MDL-36600_2-course-message-sending-can-be-exploited-by-CSRF.patch
---
moodle-2.2.3.dfsg/debian/patches/0027-MDL-36600_2-course-message-sending-can-be-exploited-by-CSRF.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0027-MDL-36600_2-course-message-sending-can-be-exploited-by-CSRF.patch
2013-01-14 22:35:42.000000000 +0100
@@ -0,0 +1,45 @@
+commit c7fbbf73e3f501d4247989a0667871ceefaf4ac1
+Author: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
+Date: Wed Jan 9 08:35:02 2013 +0000
+
+ MDL-36600 Add missing sesskey check when previewing the message
+
+diff --git a/user/messageselect.php b/user/messageselect.php
+index e7cca96..01de42d 100644
+--- a/user/messageselect.php
++++ b/user/messageselect.php
+@@ -91,7 +91,8 @@ $messagebody = $SESSION->emailselect[$id]['messagebody'];
+
+ $count = 0;
+
+-if (($data = data_submitted()) && confirm_sesskey()) {
++if ($data = data_submitted()) {
++ require_sesskey();
+ foreach ($data as $k => $v) {
+ if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
+ if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
+@@ -130,6 +131,7 @@ if ($count) {
+ }
+
+ if (!empty($messagebody) && !$edit && !$deluser && ($preview || $send)) {
++ require_sesskey();
+ if (count($SESSION->emailto[$id])) {
+ if (!empty($preview)) {
+ echo '<form method="post" action="messageselect.php"
style="margin: 0 20px;">
+@@ -142,7 +144,7 @@ if (!empty($messagebody) && !$edit && !$deluser &&
($preview || $send)) {
+ echo '<p align="center"><input type="submit" name="send"
value="'.get_string('sendmessage', 'message').'" />'."\n";
+ echo '<input type="submit" name="edit"
value="'.get_string('update').'" /></p>';
+ echo "\n</form>";
+- } else if (!empty($send) && require_sesskey()) {
++ } else if (!empty($send)) {
+ $good = 1;
+ foreach ($SESSION->emailto[$id] as $user) {
+ $good = $good &&
message_post_message($USER,$user,$messagebody,$format);
+@@ -170,6 +172,7 @@ if ((!empty($send) || !empty($preview) ||
!empty($edit)) && (empty($messagebody)
+ }
+
+ if (count($SESSION->emailto[$id])) {
++ require_sesskey();
+ $usehtmleditor = can_use_html_editor();
+ require("message.html");
+ }
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0028-MDL-36620-guest-users-can-access-RSS-feed-for-site-level-blogs.patch
moodle-2.2.3.dfsg/debian/patches/0028-MDL-36620-guest-users-can-access-RSS-feed-for-site-level-blogs.patch
---
moodle-2.2.3.dfsg/debian/patches/0028-MDL-36620-guest-users-can-access-RSS-feed-for-site-level-blogs.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0028-MDL-36620-guest-users-can-access-RSS-feed-for-site-level-blogs.patch
2013-01-14 22:36:04.000000000 +0100
@@ -0,0 +1,27 @@
+commit 591b34218c9ab95cf137987f0bb8d4e60e28936a
+Author: Jason Fowler <phalacee@gmail.com>
+Date: Thu Nov 22 15:44:27 2012 +0800
+
+ MDL-36620 - Blog, RSS - Preventing Guests from viewing the RSS of
site level blogs
+
+ Conflicts:
+ blog/rsslib.php
+
+diff --git a/blog/rsslib.php b/blog/rsslib.php
+index 6ba735d..f02a0f3 100644
+--- a/blog/rsslib.php
++++ b/blog/rsslib.php
+@@ -109,6 +109,13 @@ function blog_rss_get_feed($context, $args) {
+ return '';
+ }
+
++ if ($CFG->bloglevel == BLOG_SITE_LEVEL) {
++ if (isguestuser()) {
++ debugging(get_string('nopermissiontoshow','error'));
++ return '';
++ }
++ }
++
+ $sitecontext = get_context_instance(CONTEXT_SYSTEM);
+ if (!has_capability('moodle/blog:view', $sitecontext)) {
+ return null;
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0029-MDL-36977-moodle1-backup-converter-path-not-properly-validated.patch
moodle-2.2.3.dfsg/debian/patches/0029-MDL-36977-moodle1-backup-converter-path-not-properly-validated.patch
---
moodle-2.2.3.dfsg/debian/patches/0029-MDL-36977-moodle1-backup-converter-path-not-properly-validated.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0029-MDL-36977-moodle1-backup-converter-path-not-properly-validated.patch
2013-01-14 23:59:31.000000000 +0100
@@ -0,0 +1,36 @@
+commit 890066d6dca6930bc37cf838c756b6108c1def0f
+Author: David Mudrák <david@moodle.com>
+Date: Mon Jan 7 22:21:08 2013 +0100
+
+ MDL-36977 Be more picky when it comes to migrating files in moodle1
backups
+
+Patch could not be cherry-picked cleanly from upstream git - the first
hunk was
+modified by the maintainer (Tomasz Muras).
+
+diff --git a/backup/converter/moodle1/lib.php
b/backup/converter/moodle1/lib.php
+index 86e2026..8f7fba4 100644
+--- a/backup/converter/moodle1/lib.php
++++ b/backup/converter/moodle1/lib.php
+@@ -640,7 +640,10 @@ class moodle1_converter extends base_converter {
+ return $files;
+ }
+ foreach ($matches[2] as $match) {
+- $files[] = str_replace(array('$@FILEPHP@$', '$@SLASH@$',
'$@FORCEDOWNLOAD@$'), array('', '/', ''), $match);
++ $file = str_replace(array('$@FILEPHP@$', '$@SLASH@$',
'$@FORCEDOWNLOAD@$'), array('', '/', ''), $match);
++ if ($file === clean_param($file, PARAM_PATH)) {
++ $files[] = rawurldecode($file);
++ }
+ }
+
+ return array_unique($files);
+@@ -1205,6 +1208,10 @@ class moodle1_file_manager implements loggable {
+
+ $sourcefullpath = $this->basepath.'/'.$sourcepath;
+
++ if ($sourcefullpath !== clean_param($sourcefullpath,
PARAM_PATH)) {
++ throw new moodle1_convert_exception('file_invalid_path',
$sourcefullpath);
++ }
++
+ if (!is_readable($sourcefullpath)) {
+ throw new moodle1_convert_exception('file_not_readable',
$sourcefullpath);
+ }
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0030-MDL-37283-import-tinymce-spellchecker-2.0.6.1.patch
moodle-2.2.3.dfsg/debian/patches/0030-MDL-37283-import-tinymce-spellchecker-2.0.6.1.patch
---
moodle-2.2.3.dfsg/debian/patches/0030-MDL-37283-import-tinymce-spellchecker-2.0.6.1.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0030-MDL-37283-import-tinymce-spellchecker-2.0.6.1.patch
2013-01-14 22:35:47.000000000 +0100
@@ -0,0 +1,29 @@
+commit 6fac8f7f04c9fe7f8bbb54a9c00ec5f9ea4f09e0
+Author: Petr Škoda <commits@skodak.org>
+Date: Sat Dec 22 16:50:09 2012 +0100
+
+ MDL-37283 import tinymce spellchecker 2.0.6.1
+
+diff --git
a/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/changelog.txt
b/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/changelog.txt
+index f41ec7f..9c22855 100644
+--- a/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/changelog.txt
++++ b/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/changelog.txt
+@@ -1,3 +1,5 @@
++Version 2.0.6.1 (2012-11-16)
++ Fixed security issue with google spellchecker.
+ Version 2.0.6 (2011-09-29)
+ Fixed incorrect position of suggestion menu.
+ Fixed handling of mispelled words with no suggestions in PSpellShell
engine.
+diff --git
a/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/classes/GoogleSpell.php
b/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/classes/GoogleSpell.php
+index e2526e3..559153a 100644
+---
a/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/classes/GoogleSpell.php
++++
b/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/classes/GoogleSpell.php
+@@ -51,6 +51,8 @@ class GoogleSpell extends SpellChecker {
+ }
+
+ function &_getMatches($lang, $str) {
++ $lang = preg_replace('/[^a-z\-]/i', '', $lang); // Sanitize, remove
everything but a-z or -
++ $str = preg_replace('/[\x00-\x1F\x7F]/', '', $str); // Sanitize,
remove all control characters
+ $server = "www.google.com";
+ $port = 443;
+ $path = "/tbproxy/spell?lang=" . $lang . "&hl=en";
diff -Nru
moodle-2.2.3.dfsg/debian/patches/0031-MDL-37467-blog-posts-still-available-via-RSS-even-after-the-blogging-is-disabled.patch
moodle-2.2.3.dfsg/debian/patches/0031-MDL-37467-blog-posts-still-available-via-RSS-even-after-the-blogging-is-disabled.patch
---
moodle-2.2.3.dfsg/debian/patches/0031-MDL-37467-blog-posts-still-available-via-RSS-even-after-the-blogging-is-disabled.patch
1970-01-01 01:00:00.000000000 +0100
+++
moodle-2.2.3.dfsg/debian/patches/0031-MDL-37467-blog-posts-still-available-via-RSS-even-after-the-blogging-is-disabled.patch
2013-01-14 22:27:53.000000000 +0100
@@ -0,0 +1,22 @@
+commit 52f9e3ee5646e777cc09149e3aea55a3255b2ca4
+Author: David Mudrák <david@moodle.com>
+Date: Thu Jan 10 16:57:10 2013 +0100
+
+ MDL-37467 Do not provide blog posts via RSS when blogging is disabled
+
+diff --git a/blog/rsslib.php b/blog/rsslib.php
+index f02a0f3..f5b8e31 100644
+--- a/blog/rsslib.php
++++ b/blog/rsslib.php
+@@ -104,6 +104,11 @@ function blog_rss_get_params($filters) {
+ function blog_rss_get_feed($context, $args) {
+ global $CFG, $SITE, $DB;
+
++ if (empty($CFG->bloglevel)) {
++ debugging('Blogging disabled on this site, RSS feeds are not
available');
++ return null;
++ }
++
+ if (empty($CFG->enablerssfeeds)) {
+ debugging('Sorry, RSS feeds are disabled on this site');
+ return '';
diff -Nru moodle-2.2.3.dfsg/debian/patches/series
moodle-2.2.3.dfsg/debian/patches/series
--- moodle-2.2.3.dfsg/debian/patches/series 2012-11-29
18:00:57.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/series 2013-01-15
21:43:02.000000000 +0100
@@ -19,3 +19,13 @@
0019-MDL-33791-Portfolio-Fixed-security-issue-with-passin.patch
0020-MDL-35558-mod_data-Show-only-own-entries-while-there.patch
0021-MDL-36818-Wrong-value-for-CURLOPT_SSL_VERIFYHOST.patch
+0022-MDL-27619-teachers-can-set-outcomes-to-be-standard-when-re-editing.patch
+0023-MDL-33340-activity-report-showing-lastaccess-even-if-it-is-a-hidden-field.patch
+0024-MDL-35991_1-open-redirect-issues.patch
+0025-MDL-35991_2-open-redirect-issues.patch
+0026-MDL-36600_1-course-message-sending-can-be-exploited-by-CSRF.patch
+0027-MDL-36600_2-course-message-sending-can-be-exploited-by-CSRF.patch
+0028-MDL-36620-guest-users-can-access-RSS-feed-for-site-level-blogs.patch
+0029-MDL-36977-moodle1-backup-converter-path-not-properly-validated.patch
+0030-MDL-37283-import-tinymce-spellchecker-2.0.6.1.patch
+0031-MDL-37467-blog-posts-still-available-via-RSS-even-after-the-blogging-is-disabled.patch
unblock moodle/2.2.3.dfsg-2.6~wheezy2
Tomasz Muras
Reply to: