search

gtn / exaport

exabis eportfolio
http://www.exabis.at
13 stars 13 forks source link

Security concerns #21

Closed tmuras closed 4 years ago

tmuras commented 5 years ago

Parts of the code seems to be dangerous - for example services.php is created dynamically:

// save to services.php
$content = "<?php\n\n";
$content .= '$functions = '.var_export($functions, true).";\n\n";
$content .= '$services = '.var_export($services, true).";\n\n";
file_put_contents($servicesFile, $content);

eval() function is used:

eval('
        function '.$namespace.'_'.$function.'() {
            return call_user_func_array(\'\\'.$namespace.'\\'.$function.'\', func_get_args());
        }
    ');

extract run on $GLOBALS:

extract($GLOBALS);

Have a look at https://docs.moodle.org/dev/Security and URLs linked from there.

tmuras commented 3 years ago

Hi @ariepl - could you tell me if the security issue addressed?

ariepl commented 3 years ago

Hello, this is from my developer:

We did not really see any security concerns but did a code-update:

for example services.php is created dynamically:

This code for dynamically creating some needed code for Moodle, for example:

This functionality is activated only if the Moodle is in "developer-mode" mode and the developer will change some PHP code of the plugin.

these dynamic files will be changed only after changes, so these functions calls are very seldom By default in Moodle API these files must be changed manually

This code has no dangerous components But, of course, potentially it is possible; so, we hid this code (not deleted), so the developer must uncomment them if it is needed; or change needed files manually as usual for Moodle

eval() function is used: we disabled the code

There are a few eval() calls, but they are from vendor libraries

extract run on $GLOBALS: this was changed before

We updated experimental branch