moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 08:56:36 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-63786 core: set $CFG->forceclean for logged in as sessions

Browse source 
Turn on the forceclean config setting when a user is logged in as a
different user. This is a precautionary measure, which forces all
user submitted content to be cleaned of JavaScript before rendering
it to the logged in as user.
This commit is contained in:
Ryan Wyllie 2019-02-06 08:59:19 +08:00 committed by Jenkins
parent 911f748806
commit 070f24d006
3 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
course/loginas.php
View file

@ -79,6 +79,9 @@ if (has_capability('moodle/user:loginas', $systemcontext)) {
// Login as this user and return to course home page.
\core\session\manager::loginas($userid, $context);
// Add a notification to let the logged in as user know that all content will be force cleaned
// while in this session.
\core\notification::info(get_string('sessionforceclean', 'core'));
$newfullname = fullname($USER, true);
$strloginas = get_string('loginas');

1
lang/en/moodle.php
View file

@ -1799,6 +1799,7 @@ $string['separateandconnected'] = 'Separate and Connected ways of knowing';
$string['separateandconnectedinfo'] = 'The scale based on the theory of separate and connected knowing. This theory describes two different ways that we can evaluate and learn about the things we see and hear.<ul><li><strong>Separate knowers</strong> remain as objective as possible without including feelings and emotions. In a discussion with other people, they like to defend their own ideas, using logic to find holes in opponent\'s ideas.</li><li><strong>Connected knowers</strong> are more sensitive to other people. They are skilled at empathy and tend to listen and ask questions until they feel they can connect and "understand things from their point of view". They learn by trying to share the experiences that led to the knowledge they find in other people.</li></ul>';
$string['servererror'] = 'An error occurred whilst communicating with the server';
$string['serverlocaltime'] = 'Server\'s local time';
$string['sessionforceclean'] = 'As a security precaution, user generated scripts have been disabled within this session';
$string['setcategorytheme'] = 'Set category theme';
$string['setpassword'] = 'Set password';
$string['setpasswordinstructions'] = 'Please enter your new password below, then save changes.';

7
lib/moodlelib.php
View file

@ -2693,6 +2693,13 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
// Make sure the USER has a sesskey set up. Used for CSRF protection.
sesskey();
if (\core\session\manager::is_loggedinas()) {
// During a "logged in as" session we should force all content to be cleaned because the
// logged in user will be viewing potentially malicious user generated content.
// See MDL-63786 for more details.
$CFG->forceclean = true;
}
// Do not bother admins with any formalities, except for activities pending deletion.
if (is_siteadmin() && !($cm && $cm->deletioninprogress)) {
// Set the global $COURSE.