Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-82958

User index page errors should be more generic

XMLWordPrintable

    • MOODLE_403_STABLE, MOODLE_404_STABLE
    • MOODLE_500_STABLE
    • MDL-82958-main
    • Hide

      Testing instructions

      1. Go to Administration / Development / Debugging and set "Debug messages" field to "NONE:"
      2. Access to <yoursite>/user/index.php?contextid=99999999
      3. Confirm you can see the following message "Can't find data record in database."
      4. Go to site administration / Development / Debugging and set "Debug messages" field to "DEVELOPER:"
      5. Access to <yoursite>/user/index.php?contextid=99999999
      6. Confirm you can see the following message:  

        Can't find data record in database table context.
        		 
        More information about this errorDebug info: 
        		 
        SELECT * FROM {context} WHERE id = ?
        		 
        [array (
        		 
        0 => 99999999,
        		 
        )]
        		 
        Error code: invalidrecord
        		 
        line 1662 of /lib/dml/moodle_database.php: dml_missing_record_exception thrown
        		 
        line 1638 of /lib/dml/moodle_database.php: call to moodle_database->get_record_select()
        		 
        line 482 of /lib/classes/context.php: call to moodle_database->get_record()
        		 
        line 56 of /user/index.php: call to core\context::instance_by_id() 

      Show
      Testing instructions Go to Administration / Development / Debugging and set "Debug messages" field to "NONE:" Access to <yoursite>/user/index.php?contextid=99999999 Confirm you can see the following message "Can't find data record in database." Go to site administration / Development / Debugging and set "Debug messages" field to "DEVELOPER:" Access to <yoursite>/user/index.php?contextid=99999999 Confirm you can see the following message:  Can't find data record in database table context. More information about this errorDebug info:  SELECT * FROM {context} WHERE id = ? [array ( 0 => 99999999 , )] Error code: invalidrecord line 1662 of /lib/dml/moodle_database.php: dml_missing_record_exception thrown line 1638 of /lib/dml/moodle_database.php: call to moodle_database->get_record_select() line 482 of /lib/classes/context.php: call to moodle_database->get_record() line 56 of /user/index.php: call to core\context::instance_by_id() 
    • Hide

      Code verified against automated checks.

      Checked MDL-82958 using repository: https://github.com/raortegar/moodle.git

      More information about this report

      Built on: Wed Dec 18 09:46:13 AM UTC 2024

      Show
      Code verified against automated checks. Checked MDL-82958 using repository: https://github.com/raortegar/moodle.git main (0 errors / 0 warnings) [branch: MDL-82958-main | CI Job ] More information about this report Built on: Wed Dec 18 09:46:13 AM UTC 2024
    • Hide

      Launching automatic jobs for branch MDL-82958-main

      Built on: Wed Dec 11 12:25:31 PM UTC 2024

      Show
      Launching automatic jobs for branch MDL-82958 -main https://ci.moodle.org/view/Testing/job/DEV.02%20-%20Developer-requested%20PHPUnit/17704/ PHPUnit (sqlsrv) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60285/ Behat (NonJS - boost and classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60286/ Behat (Firefox - boost) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60287/ Behat (Firefox - classic) https://ci.moodle.org/view/Testing/job/DEV.01%20-%20Developer-requested%20Behat/60288/ App tests (stable app version) Built on: Wed Dec 11 12:25:31 PM UTC 2024
    • 2
    • Team Hedgehog 2024 Sprint 3.2, Team Hedgehog 2024 Sprint 3.3, Team Hedgehog 2024 Review 4, Team Hedgehog 2024 Sprint 4.1, Team Hedgehog 2024 Sprint 4.2, Team Hedgehog 2024 Sprint 4.3, Team Hedgehog 2025 Sprint 1.0

      If you  visit wwwroot/user/ and either don't include any params, or include an id (course ID) or contextid which don't exist, you are shown the DML exception which references the relevant database table (course or context).

      I don't consider this a vulnerability, because they are the generic Moodle table names (which are open source information), but it's not best practice (and not an error intended for user consumption), so we should simply return a generic error that the submitted data is not valid.

        1. (1) 3 Passed -- (Main)MDL-82958.png
          (1) 3 Passed -- (Main)MDL-82958.png
          28 kB
        2. (1) 6 Passed -- (Main)MDL-82958.png
          (1) 6 Passed -- (Main)MDL-82958.png
          57 kB

            raquel.ortega@moodle.com Raquel Ortega
            michaelh Michael Hawkins
            David Woloszyn David Woloszyn
            Jun Pataleta Jun Pataleta
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 6 hours, 24 minutes
                6h 24m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.