Closed tmuras closed 4 years ago
Hi @ariepl - could you tell me if the security issue addressed?
Hello, this is from my developer:
We did not really see any security concerns but did a code-update:
for example services.php is created dynamically:
This code for dynamically creating some needed code for Moodle, for example:
This functionality is activated only if the Moodle is in "developer-mode" mode and the developer will change some PHP code of the plugin.
these dynamic files will be changed only after changes, so these functions calls are very seldom By default in Moodle API these files must be changed manually
This code has no dangerous components But, of course, potentially it is possible; so, we hid this code (not deleted), so the developer must uncomment them if it is needed; or change needed files manually as usual for Moodle
eval() function is used: we disabled the code
There are a few eval() calls, but they are from vendor libraries
extract run on $GLOBALS: this was changed before
We updated experimental branch
Parts of the code seems to be dangerous - for example services.php is created dynamically:
eval() function is used:
extract run on $GLOBALS:
Have a look at https://docs.moodle.org/dev/Security and URLs linked from there.