Bug#687924: moodle: diff for NMU version 2.2.3.dfsg-2.3
On 09/30/2012 04:24 PM, Didier 'OdyX' Raboud wrote: Le dimanche, 30 septembre 2012 15.45:03, Didier Raboud a écrit : tags 687924 + patch tags 687924 + pending thanks Dear maintainer, I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.3) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. … and to help reviewing, these are the patches, cherry-picked from upstream's branch if you want to comment. Much appreciated, thank you for your help OdyX. Tomek -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#687924: moodle: diff for NMU version 2.2.3.dfsg-2.3
Le dimanche, 30 septembre 2012 15.45:03, Didier Raboud a écrit : > tags 687924 + patch > tags 687924 + pending > thanks > > Dear maintainer, > > I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.3) and > uploaded it to DELAYED/1. Please feel free to tell me if I > should delay it longer. … and to help reviewing, these are the patches, cherry-picked from upstream's branch if you want to comment. Cheers, OdyX From ebf253af171efbc5ff3a0074538c85a5edcb2ee2 Mon Sep 17 00:00:00 2001 From: Rajesh Taneja Date: Fri, 3 Aug 2012 11:44:20 +0800 Subject: [PATCH] MDL-30792 Files API: maxbytes will be set by get_max_upload_file_size if less then 0 or greater then max moodle limit --- repository/filepicker.php |4 ++-- repository/repository_ajax.php |8 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/repository/filepicker.php b/repository/filepicker.php index 68aee10..610ef13 100644 --- a/repository/filepicker.php +++ b/repository/filepicker.php @@ -93,9 +93,9 @@ if ($repository = $DB->get_record_sql($sql, array($repo_id))) { } } -$moodle_maxbytes = get_max_upload_file_size(); +$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $course->maxbytes); // to prevent maxbytes greater than moodle maxbytes setting -if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) { +if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) { $maxbytes = $moodle_maxbytes; } diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php index b7793c8..b7f76d1 100644 --- a/repository/repository_ajax.php +++ b/repository/repository_ajax.php @@ -83,9 +83,13 @@ if (!$repository = $DB->get_record_sql($sql, array($repo_id))) { /// Check permissions repository::check_capability($contextid, $repository); -$moodle_maxbytes = get_max_upload_file_size(); +$coursemaxbytes = 0; +if (!empty($course)) { + $coursemaxbytes = $course->maxbytes; +} +$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes); // to prevent maxbytes greater than moodle maxbytes setting -if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) { +if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) { $maxbytes = $moodle_maxbytes; } -- 1.7.10.4 From f7c9e3bb18e9e7fa06dff625042bf9572d709d45 Mon Sep 17 00:00:00 2001 From: Rajesh Taneja Date: Fri, 3 Aug 2012 11:47:44 +0800 Subject: [PATCH] MDL-30792 Files API: Cleaner approach to get maxbytes size in filepicker --- lib/moodlelib.php |6 +++--- repository/filepicker.php |7 ++- repository/repository_ajax.php |7 ++- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 465226a..08b34ee 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -5728,15 +5728,15 @@ function get_max_upload_file_size($sitebytes=0, $coursebytes=0, $modulebytes=0) } } -if ($sitebytes and $sitebytes < $minimumsize) { +if (($sitebytes > 0) and ($sitebytes < $minimumsize)) { $minimumsize = $sitebytes; } -if ($coursebytes and $coursebytes < $minimumsize) { +if (($coursebytes > 0) and ($coursebytes < $minimumsize)) { $minimumsize = $coursebytes; } -if ($modulebytes and $modulebytes < $minimumsize) { +if (($modulebytes > 0) and ($modulebytes < $minimumsize)) { $minimumsize = $modulebytes; } diff --git a/repository/filepicker.php b/repository/filepicker.php index 610ef13..fa759c5 100644 --- a/repository/filepicker.php +++ b/repository/filepicker.php @@ -93,11 +93,8 @@ if ($repository = $DB->get_record_sql($sql, array($repo_id))) { } } -$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $course->maxbytes); -// to prevent maxbytes greater than moodle maxbytes setting -if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) { -$maxbytes = $moodle_maxbytes; -} +// Make sure maxbytes passed is within site filesize limits. +$maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes, $maxbytes); $params = array('ctx_id' => $contextid, 'itemid' => $itemid, 'env' => $env, 'course'=>$courseid, 'maxbytes'=>$maxbytes, 'maxfiles'=>$maxfiles, 'subdirs'=>$subdirs, 'sesskey'=>sesskey()); $params['action'] = 'browse'; diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php index b7f76d1..f8c9fe5 100644 --- a/repository/repository_ajax.php +++ b/repository/repository_ajax.php @@ -87,11 +87,8 @@ $coursemaxbytes = 0; if (!empty($course)) { $coursemaxbytes = $course->maxbytes; } -$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes); -// to prevent maxbytes greater than moodle maxbytes setting -if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) { -$maxbytes = $moodle_maxbytes; -} +// Make sure maxbytes passed is within site filesize limits. +$maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes, $maxbytes); /// Wait as long as it takes for this script to finish set_time
Bug#687924: moodle: diff for NMU version 2.2.3.dfsg-2.3
tags 687924 + patch tags 687924 + pending thanks Dear maintainer, I've prepared an NMU for moodle (versioned as 2.2.3.dfsg-2.3) and uploaded it to DELAYED/1. Please feel free to tell me if I should delay it longer. Regards. diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog --- moodle-2.2.3.dfsg/debian/changelog 2012-07-23 19:13:58.0 +0200 +++ moodle-2.2.3.dfsg/debian/changelog 2012-09-28 12:58:50.0 +0200 @@ -1,3 +1,22 @@ +moodle (2.2.3.dfsg-2.3) unstable; urgency=low + + * Non-maintainer upload. + + * Backport multiple security issues from upstream's MOODLE_22_STABLE +branch. (Closes: #687924) +- MSA-12-0051: MDL-30792 - File upload size constraint issue + Fixes CVE-2012-4400 +- MSA-12-0052: MDL-28207 - Course topics permission issue + Fixes CVE-2012-4401 +- MSA-12-0053: MDL-34585 - Blog file access issue + Fixes CVE-2012-4407 +- MSA-12-0054: MDL-34519 - Course reset permission issue + Fixes CVE-2012-4408 +- MSA-12-0055: MDL-34368 - Web service access token issue + Fixes CVE-2012-4402 + + -- Didier Raboud Fri, 28 Sep 2012 12:52:21 +0200 + moodle (2.2.3.dfsg-2.2) unstable; urgency=low * Non-maintainer upload. diff -Nru moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch --- moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch 1970-01-01 01:00:00.0 +0100 +++ moodle-2.2.3.dfsg/debian/patches/0009-MDL-30792-Files-API-maxbytes-will-be-set-by-get_max_.patch 2012-09-28 12:58:50.0 +0200 @@ -0,0 +1,51 @@ +From ebf253af171efbc5ff3a0074538c85a5edcb2ee2 Mon Sep 17 00:00:00 2001 +From: Rajesh Taneja +Date: Fri, 3 Aug 2012 11:44:20 +0800 +Subject: [PATCH] MDL-30792 Files API: maxbytes will be set by + get_max_upload_file_size if less then 0 or greater then max + moodle limit + +--- + repository/filepicker.php |4 ++-- + repository/repository_ajax.php |8 ++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/repository/filepicker.php b/repository/filepicker.php +index 68aee10..610ef13 100644 +--- a/repository/filepicker.php b/repository/filepicker.php +@@ -93,9 +93,9 @@ if ($repository = $DB->get_record_sql($sql, array($repo_id))) { + } + } + +-$moodle_maxbytes = get_max_upload_file_size(); ++$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $course->maxbytes); + // to prevent maxbytes greater than moodle maxbytes setting +-if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) { ++if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) { + $maxbytes = $moodle_maxbytes; + } + +diff --git a/repository/repository_ajax.php b/repository/repository_ajax.php +index b7793c8..b7f76d1 100644 +--- a/repository/repository_ajax.php b/repository/repository_ajax.php +@@ -83,9 +83,13 @@ if (!$repository = $DB->get_record_sql($sql, array($repo_id))) { + /// Check permissions + repository::check_capability($contextid, $repository); + +-$moodle_maxbytes = get_max_upload_file_size(); ++$coursemaxbytes = 0; ++if (!empty($course)) { ++ $coursemaxbytes = $course->maxbytes; ++} ++$moodle_maxbytes = get_max_upload_file_size($CFG->maxbytes, $coursemaxbytes); + // to prevent maxbytes greater than moodle maxbytes setting +-if ($maxbytes == 0 || $maxbytes>=$moodle_maxbytes) { ++if (($maxbytes <= 0) || ($maxbytes >= $moodle_maxbytes)) { + $maxbytes = $moodle_maxbytes; + } + +-- +1.7.10.4 + diff -Nru moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch --- moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch 1970-01-01 01:00:00.0 +0100 +++ moodle-2.2.3.dfsg/debian/patches/0010-MDL-30792-Files-API-Cleaner-approach-to-get-maxbytes.patch 2012-09-28 12:58:50.0 +0200 @@ -0,0 +1,74 @@ +From f7c9e3bb18e9e7fa06dff625042bf9572d709d45 Mon Sep 17 00:00:00 2001 +From: Rajesh Taneja +Date: Fri, 3 Aug 2012 11:47:44 +0800 +Subject: [PATCH] MDL-30792 Files API: Cleaner approach to get maxbytes size + in filepicker + +--- + lib/moodlelib.php |6 +++--- + repository/filepicker.php |7 ++- + repository/repository_ajax.php |7 ++- + 3 files changed, 7 insertions(+), 13 deletions(-) + +diff --git a/lib/moodlelib.php b/lib/moodlelib.php +index 465226a..08b34ee 100644 +--- a/lib/moodlelib.php b/lib/moodlelib.php +@@ -5728,15 +5728,15 @@ function get_max_upload_file_size($sitebytes=0, $coursebytes=0, $modulebytes=0) + } + } + +-if ($sitebytes and $sitebytes < $minimumsize) { ++if (($sitebytes > 0) and ($sitebytes < $minimumsize)) { + $minimumsize = $sitebytes; + } + +-if ($coursebytes and $coursebytes < $minimumsize) { ++i