Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48104

Avoid use of eval() in mod_assign grading form

XMLWordPrintable

    • MOODLE_25_STABLE, MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • MOODLE_27_STABLE, MOODLE_28_STABLE
    • Hide
      1. Create a new assignment enabling Files as a feedback type
      2. View the grading page
      3. Without ticking any boxes, choose to "Lock submissions" and press "Go"
        • Confirm that an alert was showing informing you taht no-one was selected
      4. Place a tick in the checkbox beside a user
      5. Choose to "Lock submissions" and click Go
        • Confirm that a question was shown
      6. Cancel
      7. Change the dropdown from "Lock submissions" to "Send feedback files"
      8. Choose to "Lock submissions" and click Go
        • Confirm that a question was shown
      Show
      Create a new assignment enabling Files as a feedback type View the grading page Without ticking any boxes, choose to "Lock submissions" and press "Go" Confirm that an alert was showing informing you taht no-one was selected Place a tick in the checkbox beside a user Choose to "Lock submissions" and click Go Confirm that a question was shown Cancel Change the dropdown from "Lock submissions" to "Send feedback files" Choose to "Lock submissions" and click Go Confirm that a question was shown
    • FRONTEND Sprint 15

      There is an unnecessary eval() in the following code which is an open door to XSS attacks.

      mod/assign/module.js
      		 
      confirmmessage = eval('M.str.assign.batchoperationconfirm' + operation.get('value'));

      The Javascript here resolves a string using the value from an HTML element. If the attacker can inject HTML content where this code is used (which I tried and failed as a student), then it is possible to hijack the field and trick the eval into executing arbitrary code.

      An easy fix is to use M.util.get_string().

        1. MDL-48104-26.mdk.patch
          2 kB
        2. MDL-48104-27.mdk.patch
          2 kB
        3. MDL-48104-28.mdk.patch
          2 kB
        4. MDL-48104-master.mdk.patch
          2 kB

            dobedobedoh Andrew Lyons
            fred Frédéric Massart
            Ankit Agarwal Ankit Agarwal
            Dan Poltawski Dan Poltawski
            Mark Nelson Mark Nelson
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.