Unpriviledged access to the user draft file area

[mudrd8mz]

As far as I can see, there are multiple issues with the import.php file

• No access check is happening. Any caller (even anonymous and/or other user) can modify and delete the contents of any user draft file area.
• The script seems to be an AJAX script, yet it does not define the AJAX_SCRIPT constant. See https://docs.moodle.org/dev/AJAX_pre_2.9 and https://docs.moodle.org/dev/AJAX for details.

[ecampbell]

I have added the require_login function call and the define('AJAX_SCRIPT') lines to import.php. I also added the current user id to any imported images in the files table. I assume that this means no other user can modify or delete them.

[mudrd8mz]

I assume that this means no other user can modify or delete them.

Why do you think so? https://github.com/moodle/moodle/blob/master/lib/filestorage/stored_file.php#L331 It is the caller responsible for access control, not this low level API.

Currently, if I read correctly, every logged-in user can still remove any file from any other user's draft area. If that is abused by an automated script that does it in a loop across whole site, it can easily prevent from uploading new files (as they will be deleted before they are saved into the final file area).

[ecampbell]

I have added an additional constraint that only files from the current users context are retrieved, which I hope resolves this issue.

[ecampbell]

I have released a new version (v0.0.9), but as the plugin status is currently "Waiting for approval", I cannot request re-approval.

[ecampbell]

I have released a new version (v0.9.1) to automate the installation process and support the import of equations.