Package: moodle Version: 1.9.9.dfsg2-2.1+squeeze3 Severity: normal Tags: patch pending
[Replace XX with correct value] Dear maintainer, I've prepared an NMU for moodle (versioned as 1.9.9.dfsg2-2.1+squeeze4) and uploaded it to DELAYED/XX. Please feel free to tell me if I should delay it longer. Regards. diff -Nru moodle-1.9.9.dfsg2/debian/changelog moodle-1.9.9.dfsg2/debian/changelog --- moodle-1.9.9.dfsg2/debian/changelog 2012-02-29 20:45:39.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/changelog 2012-10-22 08:10:11.000000000 +0200 @@ -1,3 +1,16 @@ +moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low + + * Minor security updates. + * Backporting security fixes from MOODLE_19_STABLE: + - CVE-2012-1155 - MSA-12-0013: database activity module entries exporting + does not respect separate groups (Closes: #668411). + - CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE. + - CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar. + - CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works + for roles preventing calendar entry. (Closes: #674163) + + -- Didier Raboud <o...@debian.org> Sun, 21 Oct 2012 14:16:11 +0200 + moodle (1.9.9.dfsg2-2.1+squeeze3) stable-security; urgency=low * Security update based on unstable: diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 2012-02-29 20:43:19.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 2012-10-21 14:19:06.000000000 +0200 @@ -4,11 +4,9 @@ MDL-30575 yet more mail header cleanup -diff --git a/lib/phpmailer/class.phpmailer.php b/lib/phpmailer/class.phpmailer.php -index d5ccc70..53d3668 100644 --- a/lib/phpmailer/class.phpmailer.php +++ b/lib/phpmailer/class.phpmailer.php -@@ -653,11 +653,11 @@ class PHPMailer +@@ -653,11 +653,11 @@ */ function AddrFormat($addr) { if(empty($addr[1])) @@ -23,7 +21,7 @@ } return $formatted; -@@ -780,9 +780,9 @@ class PHPMailer +@@ -780,9 +780,9 @@ $result .= $this->HeaderLine("Date", $this->RFCDate()); if($this->Sender == "") @@ -35,27 +33,3 @@ // To be created automatically by mail() if($this->Mailer != "mail") -commit a9e3abe0b437d449a044f1e059a5d0f29601f335 -Author: Petr Skoda <comm...@skodak.org> -Date: Sat Dec 10 18:21:35 2011 +0100 - - MDL-30575 more mail header cleanup - -@@ -1190,7 +1190,10 @@ class PHPMailer - */ - function EncodeHeader ($str, $position = 'text') { - -- /// Start Moodle Hack - do our own multibyte-safe header encoding -+ /// Start Moodle Hack - do our own multibyte-safe header encoding and cleanup -+ $str = str_replace("\r", '', $str); -+ $str = str_replace("\n", '', $str); -+ - $textlib = textlib_get_instance(); - $encoded = $textlib->encode_mimeheader($str, $this->CharSet); - if ($encoded !== false) { -commit a9e3abe0b437d449a044f1e059a5d0f29601f335 -Author: Petr Skoda <comm...@skodak.org> -Date: Sat Dec 10 18:21:35 2011 +0100 - - MDL-30575 more mail header cleanup - diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 2012-10-21 14:34:54.000000000 +0200 @@ -0,0 +1,45 @@ +commit 312ada2856cfb79d03ac6effe11dd750f2aa67f0 +Author: Adrian Greeve <adr...@moodle.com> +Date: Tue Jan 31 12:09:30 2012 +0800 + + MDL-25185 - data - Allowing data from the database to be exported according to group roles. + +diff --git a/mod/data/export.php b/mod/data/export.php +index 6ac914e..edea566 100644 +--- a/mod/data/export.php ++++ b/mod/data/export.php +@@ -60,6 +60,7 @@ if($mform->is_cancelled()) { + print_header_simple($data->name, '', $nav, + '', '', true, update_module_button($cm->id, $course->id, get_string('modulename', 'data')), + navmenu($course, $cm), '', ''); ++ groups_print_activity_menu($cm, "$CFG->wwwroot/mod/data/export.php?d=$d"); + print_heading(format_string($data->name)); + + // these are for the tab display +@@ -83,13 +84,25 @@ foreach($fields as $key => $field) { + $exportdata[0][] = $field->field->name; + } + } ++$groupid = groups_get_activity_group($cm); + + $datarecords = get_records('data_records', 'dataid', $data->id); + ksort($datarecords); + $line = 1; + foreach($datarecords as $record) { + // get content indexed by fieldid +- if( $content = get_records('data_content', 'recordid', $record->id, 'fieldid', 'fieldid, content, content1, content2, content3, content4') ) { ++ if($groupid) { ++ $select = "SELECT c.fieldid, c.content, c.content1, c.content2, c.content3, c.content4 ++ FROM {$CFG->prefix}data_content c, {$CFG->prefix}data_records r ++ WHERE c.recordid = $record->id ++ AND r.id = c.recordid ++ AND r.groupid = $groupid"; ++ } else { ++ $select = "SELECT fieldid, content, content1, content2, content3, content4 ++ FROM {$CFG->prefix}data_content ++ WHERE recordid = $record->id"; ++ } ++ if( $content = get_records_sql($select) ) { + foreach($fields as $field) { + $contents = ''; + if(isset($content[$field->field->id])) { diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 2012-10-21 14:48:44.000000000 +0200 @@ -0,0 +1,45 @@ +commit 038131c8b5614f18c14d964dc53b6960ae6c30d8 +Author: Rajesh Taneja <raj...@moodle.com> +Date: Mon Mar 26 11:54:01 2012 +1300 + + MDL-31745 blog: Fixed up encoding issue within blog + +--- a/blog/lib.php ++++ b/blog/lib.php +@@ -672,7 +672,7 @@ + $querystring = ''; + foreach($_GET as $var => $val) { + $var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631 +- $val = clean_param($val, PARAM_CLEAN); ++ $val = urlencode(clean_param($val, PARAM_CLEAN)); + if(!$first) { + $first = true; + if ($var != 'filterselect' && $var != 'filtertype') { +@@ -683,13 +683,13 @@ + } + } else { + if ($var != 'filterselect' && $var != 'filtertype') { +- $querystring .= '&'.$var.'='.$val; ++ $querystring .= '&'.$var.'='.$val; + $hasparam = true; + } + } + } + if (isset($hasparam)) { +- $querystring .= '&'; ++ $querystring .= '&'; + } else { + $querystring = '?'; + } +@@ -697,9 +697,8 @@ + $querystring = '?'; + } + +- return strip_querystring(qualified_me()) . $querystring. 'filtertype='. +- $filtertype.'&filterselect='.$filterselect.'&'; +- ++ return s(strip_querystring(qualified_me()) . $querystring. 'filtertype='. ++ $filtertype.'&filterselect='.$filterselect.'&', true); + } + + /** diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 2012-10-21 14:44:38.000000000 +0200 @@ -0,0 +1,184 @@ +commit db52f45c688afb3b4d7a3f701d40182ccc3a81bc +Author: Rajesh Taneja <raj...@moodle.com> +Date: Tue Apr 10 17:50:58 2012 +1200 + + MDL-31746 calendar: Fixed up validation inconsistencies when creating/editing an event + +diff --git a/calendar/event.php b/calendar/event.php +index 5325aa4..bec568c 100644 +--- a/calendar/event.php ++++ b/calendar/event.php +@@ -103,6 +103,7 @@ + } + + $form = null; ++ $err = array(); + + switch($action) { + case 'delete': +@@ -129,23 +130,7 @@ + } + + if($form = data_submitted() and confirm_sesskey()) { +- +- $form->name = clean_param(strip_tags($form->name,'<lang><span>'), PARAM_CLEAN); +- +- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin); +- if($form->duration == 1) { +- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart; +- if($form->timeduration < 0) { +- $form->timeduration = 0; +- } +- } +- else if($form->duration == 2) { +- $form->timeduration = $form->minutes * MINSECS; +- } +- else { +- $form->timeduration = 0; +- } +- ++ // validate form and set error if any. + validate_form($form, $err); + + if (count($err) == 0) { +@@ -194,27 +179,13 @@ + $title = get_string('newevent', 'calendar'); + $form = data_submitted(); + if(!empty($form) && !empty($form->name) && confirm_sesskey()) { +- +- $form->name = clean_text(strip_tags($form->name, '<lang><span>')); +- +- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin); +- if($form->duration == 1) { +- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart; +- if($form->timeduration < 0) { +- $form->timeduration = 0; +- } +- } +- else if ($form->duration == 2) { +- $form->timeduration = $form->minutes * MINSECS; +- } +- else { +- $form->timeduration = 0; +- } +- if(!calendar_add_event_allowed($form)) { +- error('You are not authorized to do this'); +- } ++ // validate form and set error if any. + validate_form($form, $err); ++ + if (count($err) == 0) { ++ if (!calendar_add_event_allowed($form)) { ++ error('You are not authorized to do this'); ++ } + $form->timemodified = time(); + + /// Get the event id for the log record. +@@ -568,11 +539,44 @@ + + + function validate_form(&$form, &$err) { ++ $cleanform = new stdClass(); ++ //first clean the form values ++ $cleanform->name = clean_param(strip_tags(trim($form->name), '<lang><span>'),PARAM_CLEAN); ++ $cleanform->description = addslashes(clean_param($form->description, PARAM_CLEANHTML)); ++ $cleanform->duration = clean_param($form->duration, PARAM_INT); ++ $cleanform->startmon = clean_param($form->startmon, PARAM_INT); ++ $cleanform->startday = clean_param($form->startday, PARAM_INT); ++ $cleanform->startyr = clean_param($form->startyr, PARAM_INT); ++ $cleanform->starthr = clean_param($form->starthr, PARAM_INT); ++ $cleanform->startmin = clean_param($form->startmin, PARAM_INT); ++ $cleanform->endmon = clean_param($form->endmon, PARAM_INT); ++ $cleanform->endday = clean_param($form->endday, PARAM_INT); ++ $cleanform->endyr = clean_param($form->endyr, PARAM_INT); ++ $cleanform->endhr = clean_param($form->endhr, PARAM_INT); ++ $cleanform->endmin = clean_param($form->endmin, PARAM_INT); ++ $cleanform->minutes = clean_param($form->minutes, PARAM_INT); ++ $cleanform->courseid = clean_param($form->courseid, PARAM_INT); ++ $cleanform->format = clean_param($form->format, PARAM_INT); ++ $cleanform->course = clean_param($form->course, PARAM_INT); ++ $cleanform->action = clean_param($form->action, PARAM_ALPHA); ++ ++ // These values are only required for new event. ++ if ($cleanform->action === 'new') { ++ $cleanform->repeat = clean_param($form->repeat, PARAM_INT); ++ $cleanform->repeats = clean_param($form->repeats, PARAM_INT); ++ $cleanform->groupid = clean_param($form->groupid, PARAM_INT); ++ $cleanform->userid = clean_param($form->userid, PARAM_INT); ++ $cleanform->modulename = clean_param($form->modulename, PARAM_SAFEDIR); ++ $cleanform->eventtype = clean_param($form->eventtype, PARAM_ALPHA); ++ $cleanform->instance = clean_param($form->instance, PARAM_INT); ++ $cleanform->type = clean_param($form->type, PARAM_ALPHA); ++ } else { ++ $cleanform->id = clean_param($form->id, PARAM_INT); ++ } ++ // set form with clean and valid values only. ++ $form = $cleanform; + +- $form->name = trim($form->name); +- $form->description = trim($form->description); +- +- if(empty($form->name)) { ++ if (empty($form->name)) { + $err['name'] = get_string('errornoeventname', 'calendar'); + } + /* Allow events without a description +@@ -580,28 +584,53 @@ function validate_form(&$form, &$err) { + $err['description'] = get_string('errornodescription', 'calendar'); + } + */ +- if(!checkdate($form->startmon, $form->startday, $form->startyr)) { ++ if (!checkdate($form->startmon, $form->startday, $form->startyr)) { + $err['timestart'] = get_string('errorinvaliddate', 'calendar'); + } +- if($form->duration == 2 and !checkdate($form->endmon, $form->endday, $form->endyr)) { ++ if ($form->duration == 1 and !checkdate($form->endmon, $form->endday, $form->endyr)) { + $err['timeduration'] = get_string('errorinvaliddate', 'calendar'); + } +- if($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) { ++ if ($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) { + $err['minutes'] = get_string('errorinvalidminutes', 'calendar'); + } + if (!empty($form->repeat) and !($form->repeats > 1 and $form->repeats < 100)) { + $err['repeats'] = get_string('errorinvalidrepeats', 'calendar'); + } +- if(!empty($form->courseid)) { ++ ++ // set start time and duration ++ $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin); ++ if ($form->duration == 1) { ++ $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart; ++ // Duration should be set for time in future. ++ if ($form->timeduration <= 0) { ++ $err['timeduration'] = get_string('errorinvaliddate', 'calendar'); ++ $form->timeduration = 0; ++ } ++ } ++ else if ($form->duration == 2) { ++ $form->timeduration = $form->minutes * MINSECS; ++ } ++ else { ++ $form->timeduration = 0; ++ } ++ ++ if (!empty($form->courseid)) { + // Timestamps must be >= course startdate + $course = get_record('course', 'id', $form->courseid); +- if($course === false) { ++ if ($course === false) { + error('Event belongs to invalid course'); + } + else if($form->timestart < $course->startdate) { + $err['timestart'] = get_string('errorbeforecoursestart', 'calendar'); + } + } ++ if (!empty($form->modulename)) { ++ // Check that passed modulename actually exists (possible SQL Injection route) ++ $module = get_record('modules', 'name', $form->modulename); ++ if ($module === false) { ++ error('Invalid module name'); ++ } ++ } + } + + function calendar_add_event_allowed($event) { diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 2012-10-21 14:50:28.000000000 +0200 @@ -0,0 +1,18 @@ +commit 4928e13799ad344bc7babba93a28ae77a830080f +Author: Rossiani Wijaya <rwij...@moodle.com> +Date: Mon Apr 30 17:07:15 2012 +0800 + + MDL-18335 calendar event: fixed role capability checking to create new event + +diff --git a/calendar/lib.php b/calendar/lib.php +index 7c575d4..a927b6b 100644 +--- a/calendar/lib.php ++++ b/calendar/lib.php +@@ -1582,6 +1582,7 @@ function calendar_get_allowed_types(&$allowed) { + if(!empty($SESSION->cal_course_referer) && $SESSION->cal_course_referer != SITEID) { + $course = get_record('course', 'id', $SESSION->cal_course_referer); + $coursecontext = get_context_instance(CONTEXT_COURSE, $SESSION->cal_course_referer); ++ $allowed->user = has_capability('moodle/calendar:manageownentries', $coursecontext); + + if(has_capability('moodle/calendar:manageentries', $coursecontext)) { + $allowed->courses = array($course->id => 1); diff -Nru moodle-1.9.9.dfsg2/debian/patches/series moodle-1.9.9.dfsg2/debian/patches/series --- moodle-1.9.9.dfsg2/debian/patches/series 2012-02-29 20:43:19.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/series 2012-10-22 08:05:31.000000000 +0200 @@ -32,3 +32,7 @@ MSA-12-0005 MSA-12-0006 MSA-12-0007 +MSA-12-0013 +MSA-12-0033 +MSA-12-0034 +MSA-12-0038
diff -Nru moodle-1.9.9.dfsg2/debian/changelog moodle-1.9.9.dfsg2/debian/changelog --- moodle-1.9.9.dfsg2/debian/changelog 2012-02-29 20:45:39.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/changelog 2012-10-22 08:10:11.000000000 +0200 @@ -1,3 +1,16 @@ +moodle (1.9.9.dfsg2-2.1+squeeze4) stable; urgency=low + + * Minor security updates. + * Backporting security fixes from MOODLE_19_STABLE: + - CVE-2012-1155 - MSA-12-0013: database activity module entries exporting + does not respect separate groups (Closes: #668411). + - CVE-2012-2362 - MSA-12-0033: XSS bug in blog/index.php in IE. + - CVE-2012-2363 - MSA-12-0034: Stored SQL Injection in calendar. + - CVE-2012-2367 - MSA-12-0038: Calendar New Entry still shows and works + for roles preventing calendar entry. (Closes: #674163) + + -- Didier Raboud <o...@debian.org> Sun, 21 Oct 2012 14:16:11 +0200 + moodle (1.9.9.dfsg2-2.1+squeeze3) stable-security; urgency=low * Security update based on unstable: diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 2012-02-29 20:43:19.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 2012-10-21 14:19:06.000000000 +0200 @@ -4,11 +4,9 @@ MDL-30575 yet more mail header cleanup -diff --git a/lib/phpmailer/class.phpmailer.php b/lib/phpmailer/class.phpmailer.php -index d5ccc70..53d3668 100644 --- a/lib/phpmailer/class.phpmailer.php +++ b/lib/phpmailer/class.phpmailer.php -@@ -653,11 +653,11 @@ class PHPMailer +@@ -653,11 +653,11 @@ */ function AddrFormat($addr) { if(empty($addr[1])) @@ -23,7 +21,7 @@ } return $formatted; -@@ -780,9 +780,9 @@ class PHPMailer +@@ -780,9 +780,9 @@ $result .= $this->HeaderLine("Date", $this->RFCDate()); if($this->Sender == "") @@ -35,27 +33,3 @@ // To be created automatically by mail() if($this->Mailer != "mail") -commit a9e3abe0b437d449a044f1e059a5d0f29601f335 -Author: Petr Skoda <comm...@skodak.org> -Date: Sat Dec 10 18:21:35 2011 +0100 - - MDL-30575 more mail header cleanup - -@@ -1190,7 +1190,10 @@ class PHPMailer - */ - function EncodeHeader ($str, $position = 'text') { - -- /// Start Moodle Hack - do our own multibyte-safe header encoding -+ /// Start Moodle Hack - do our own multibyte-safe header encoding and cleanup -+ $str = str_replace("\r", '', $str); -+ $str = str_replace("\n", '', $str); -+ - $textlib = textlib_get_instance(); - $encoded = $textlib->encode_mimeheader($str, $this->CharSet); - if ($encoded !== false) { -commit a9e3abe0b437d449a044f1e059a5d0f29601f335 -Author: Petr Skoda <comm...@skodak.org> -Date: Sat Dec 10 18:21:35 2011 +0100 - - MDL-30575 more mail header cleanup - diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0013 2012-10-21 14:34:54.000000000 +0200 @@ -0,0 +1,45 @@ +commit 312ada2856cfb79d03ac6effe11dd750f2aa67f0 +Author: Adrian Greeve <adr...@moodle.com> +Date: Tue Jan 31 12:09:30 2012 +0800 + + MDL-25185 - data - Allowing data from the database to be exported according to group roles. + +diff --git a/mod/data/export.php b/mod/data/export.php +index 6ac914e..edea566 100644 +--- a/mod/data/export.php ++++ b/mod/data/export.php +@@ -60,6 +60,7 @@ if($mform->is_cancelled()) { + print_header_simple($data->name, '', $nav, + '', '', true, update_module_button($cm->id, $course->id, get_string('modulename', 'data')), + navmenu($course, $cm), '', ''); ++ groups_print_activity_menu($cm, "$CFG->wwwroot/mod/data/export.php?d=$d"); + print_heading(format_string($data->name)); + + // these are for the tab display +@@ -83,13 +84,25 @@ foreach($fields as $key => $field) { + $exportdata[0][] = $field->field->name; + } + } ++$groupid = groups_get_activity_group($cm); + + $datarecords = get_records('data_records', 'dataid', $data->id); + ksort($datarecords); + $line = 1; + foreach($datarecords as $record) { + // get content indexed by fieldid +- if( $content = get_records('data_content', 'recordid', $record->id, 'fieldid', 'fieldid, content, content1, content2, content3, content4') ) { ++ if($groupid) { ++ $select = "SELECT c.fieldid, c.content, c.content1, c.content2, c.content3, c.content4 ++ FROM {$CFG->prefix}data_content c, {$CFG->prefix}data_records r ++ WHERE c.recordid = $record->id ++ AND r.id = c.recordid ++ AND r.groupid = $groupid"; ++ } else { ++ $select = "SELECT fieldid, content, content1, content2, content3, content4 ++ FROM {$CFG->prefix}data_content ++ WHERE recordid = $record->id"; ++ } ++ if( $content = get_records_sql($select) ) { + foreach($fields as $field) { + $contents = ''; + if(isset($content[$field->field->id])) { diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0033 2012-10-21 14:48:44.000000000 +0200 @@ -0,0 +1,45 @@ +commit 038131c8b5614f18c14d964dc53b6960ae6c30d8 +Author: Rajesh Taneja <raj...@moodle.com> +Date: Mon Mar 26 11:54:01 2012 +1300 + + MDL-31745 blog: Fixed up encoding issue within blog + +--- a/blog/lib.php ++++ b/blog/lib.php +@@ -672,7 +672,7 @@ + $querystring = ''; + foreach($_GET as $var => $val) { + $var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631 +- $val = clean_param($val, PARAM_CLEAN); ++ $val = urlencode(clean_param($val, PARAM_CLEAN)); + if(!$first) { + $first = true; + if ($var != 'filterselect' && $var != 'filtertype') { +@@ -683,13 +683,13 @@ + } + } else { + if ($var != 'filterselect' && $var != 'filtertype') { +- $querystring .= '&'.$var.'='.$val; ++ $querystring .= '&'.$var.'='.$val; + $hasparam = true; + } + } + } + if (isset($hasparam)) { +- $querystring .= '&'; ++ $querystring .= '&'; + } else { + $querystring = '?'; + } +@@ -697,9 +697,8 @@ + $querystring = '?'; + } + +- return strip_querystring(qualified_me()) . $querystring. 'filtertype='. +- $filtertype.'&filterselect='.$filterselect.'&'; +- ++ return s(strip_querystring(qualified_me()) . $querystring. 'filtertype='. ++ $filtertype.'&filterselect='.$filterselect.'&', true); + } + + /** diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0034 2012-10-21 14:44:38.000000000 +0200 @@ -0,0 +1,184 @@ +commit db52f45c688afb3b4d7a3f701d40182ccc3a81bc +Author: Rajesh Taneja <raj...@moodle.com> +Date: Tue Apr 10 17:50:58 2012 +1200 + + MDL-31746 calendar: Fixed up validation inconsistencies when creating/editing an event + +diff --git a/calendar/event.php b/calendar/event.php +index 5325aa4..bec568c 100644 +--- a/calendar/event.php ++++ b/calendar/event.php +@@ -103,6 +103,7 @@ + } + + $form = null; ++ $err = array(); + + switch($action) { + case 'delete': +@@ -129,23 +130,7 @@ + } + + if($form = data_submitted() and confirm_sesskey()) { +- +- $form->name = clean_param(strip_tags($form->name,'<lang><span>'), PARAM_CLEAN); +- +- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin); +- if($form->duration == 1) { +- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart; +- if($form->timeduration < 0) { +- $form->timeduration = 0; +- } +- } +- else if($form->duration == 2) { +- $form->timeduration = $form->minutes * MINSECS; +- } +- else { +- $form->timeduration = 0; +- } +- ++ // validate form and set error if any. + validate_form($form, $err); + + if (count($err) == 0) { +@@ -194,27 +179,13 @@ + $title = get_string('newevent', 'calendar'); + $form = data_submitted(); + if(!empty($form) && !empty($form->name) && confirm_sesskey()) { +- +- $form->name = clean_text(strip_tags($form->name, '<lang><span>')); +- +- $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin); +- if($form->duration == 1) { +- $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart; +- if($form->timeduration < 0) { +- $form->timeduration = 0; +- } +- } +- else if ($form->duration == 2) { +- $form->timeduration = $form->minutes * MINSECS; +- } +- else { +- $form->timeduration = 0; +- } +- if(!calendar_add_event_allowed($form)) { +- error('You are not authorized to do this'); +- } ++ // validate form and set error if any. + validate_form($form, $err); ++ + if (count($err) == 0) { ++ if (!calendar_add_event_allowed($form)) { ++ error('You are not authorized to do this'); ++ } + $form->timemodified = time(); + + /// Get the event id for the log record. +@@ -568,11 +539,44 @@ + + + function validate_form(&$form, &$err) { ++ $cleanform = new stdClass(); ++ //first clean the form values ++ $cleanform->name = clean_param(strip_tags(trim($form->name), '<lang><span>'),PARAM_CLEAN); ++ $cleanform->description = addslashes(clean_param($form->description, PARAM_CLEANHTML)); ++ $cleanform->duration = clean_param($form->duration, PARAM_INT); ++ $cleanform->startmon = clean_param($form->startmon, PARAM_INT); ++ $cleanform->startday = clean_param($form->startday, PARAM_INT); ++ $cleanform->startyr = clean_param($form->startyr, PARAM_INT); ++ $cleanform->starthr = clean_param($form->starthr, PARAM_INT); ++ $cleanform->startmin = clean_param($form->startmin, PARAM_INT); ++ $cleanform->endmon = clean_param($form->endmon, PARAM_INT); ++ $cleanform->endday = clean_param($form->endday, PARAM_INT); ++ $cleanform->endyr = clean_param($form->endyr, PARAM_INT); ++ $cleanform->endhr = clean_param($form->endhr, PARAM_INT); ++ $cleanform->endmin = clean_param($form->endmin, PARAM_INT); ++ $cleanform->minutes = clean_param($form->minutes, PARAM_INT); ++ $cleanform->courseid = clean_param($form->courseid, PARAM_INT); ++ $cleanform->format = clean_param($form->format, PARAM_INT); ++ $cleanform->course = clean_param($form->course, PARAM_INT); ++ $cleanform->action = clean_param($form->action, PARAM_ALPHA); ++ ++ // These values are only required for new event. ++ if ($cleanform->action === 'new') { ++ $cleanform->repeat = clean_param($form->repeat, PARAM_INT); ++ $cleanform->repeats = clean_param($form->repeats, PARAM_INT); ++ $cleanform->groupid = clean_param($form->groupid, PARAM_INT); ++ $cleanform->userid = clean_param($form->userid, PARAM_INT); ++ $cleanform->modulename = clean_param($form->modulename, PARAM_SAFEDIR); ++ $cleanform->eventtype = clean_param($form->eventtype, PARAM_ALPHA); ++ $cleanform->instance = clean_param($form->instance, PARAM_INT); ++ $cleanform->type = clean_param($form->type, PARAM_ALPHA); ++ } else { ++ $cleanform->id = clean_param($form->id, PARAM_INT); ++ } ++ // set form with clean and valid values only. ++ $form = $cleanform; + +- $form->name = trim($form->name); +- $form->description = trim($form->description); +- +- if(empty($form->name)) { ++ if (empty($form->name)) { + $err['name'] = get_string('errornoeventname', 'calendar'); + } + /* Allow events without a description +@@ -580,28 +584,53 @@ function validate_form(&$form, &$err) { + $err['description'] = get_string('errornodescription', 'calendar'); + } + */ +- if(!checkdate($form->startmon, $form->startday, $form->startyr)) { ++ if (!checkdate($form->startmon, $form->startday, $form->startyr)) { + $err['timestart'] = get_string('errorinvaliddate', 'calendar'); + } +- if($form->duration == 2 and !checkdate($form->endmon, $form->endday, $form->endyr)) { ++ if ($form->duration == 1 and !checkdate($form->endmon, $form->endday, $form->endyr)) { + $err['timeduration'] = get_string('errorinvaliddate', 'calendar'); + } +- if($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) { ++ if ($form->duration == 2 and !($form->minutes > 0 and $form->minutes < 1000)) { + $err['minutes'] = get_string('errorinvalidminutes', 'calendar'); + } + if (!empty($form->repeat) and !($form->repeats > 1 and $form->repeats < 100)) { + $err['repeats'] = get_string('errorinvalidrepeats', 'calendar'); + } +- if(!empty($form->courseid)) { ++ ++ // set start time and duration ++ $form->timestart = make_timestamp($form->startyr, $form->startmon, $form->startday, $form->starthr, $form->startmin); ++ if ($form->duration == 1) { ++ $form->timeduration = make_timestamp($form->endyr, $form->endmon, $form->endday, $form->endhr, $form->endmin) - $form->timestart; ++ // Duration should be set for time in future. ++ if ($form->timeduration <= 0) { ++ $err['timeduration'] = get_string('errorinvaliddate', 'calendar'); ++ $form->timeduration = 0; ++ } ++ } ++ else if ($form->duration == 2) { ++ $form->timeduration = $form->minutes * MINSECS; ++ } ++ else { ++ $form->timeduration = 0; ++ } ++ ++ if (!empty($form->courseid)) { + // Timestamps must be >= course startdate + $course = get_record('course', 'id', $form->courseid); +- if($course === false) { ++ if ($course === false) { + error('Event belongs to invalid course'); + } + else if($form->timestart < $course->startdate) { + $err['timestart'] = get_string('errorbeforecoursestart', 'calendar'); + } + } ++ if (!empty($form->modulename)) { ++ // Check that passed modulename actually exists (possible SQL Injection route) ++ $module = get_record('modules', 'name', $form->modulename); ++ if ($module === false) { ++ error('Invalid module name'); ++ } ++ } + } + + function calendar_add_event_allowed($event) { diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 1970-01-01 01:00:00.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0038 2012-10-21 14:50:28.000000000 +0200 @@ -0,0 +1,18 @@ +commit 4928e13799ad344bc7babba93a28ae77a830080f +Author: Rossiani Wijaya <rwij...@moodle.com> +Date: Mon Apr 30 17:07:15 2012 +0800 + + MDL-18335 calendar event: fixed role capability checking to create new event + +diff --git a/calendar/lib.php b/calendar/lib.php +index 7c575d4..a927b6b 100644 +--- a/calendar/lib.php ++++ b/calendar/lib.php +@@ -1582,6 +1582,7 @@ function calendar_get_allowed_types(&$allowed) { + if(!empty($SESSION->cal_course_referer) && $SESSION->cal_course_referer != SITEID) { + $course = get_record('course', 'id', $SESSION->cal_course_referer); + $coursecontext = get_context_instance(CONTEXT_COURSE, $SESSION->cal_course_referer); ++ $allowed->user = has_capability('moodle/calendar:manageownentries', $coursecontext); + + if(has_capability('moodle/calendar:manageentries', $coursecontext)) { + $allowed->courses = array($course->id => 1); diff -Nru moodle-1.9.9.dfsg2/debian/patches/series moodle-1.9.9.dfsg2/debian/patches/series --- moodle-1.9.9.dfsg2/debian/patches/series 2012-02-29 20:43:19.000000000 +0100 +++ moodle-1.9.9.dfsg2/debian/patches/series 2012-10-22 08:05:31.000000000 +0200 @@ -32,3 +32,7 @@ MSA-12-0005 MSA-12-0006 MSA-12-0007 +MSA-12-0013 +MSA-12-0033 +MSA-12-0034 +MSA-12-0038