Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
MDL-63786 core: set $CFG->forceclean for logged in as sessions
Turn on the forceclean config setting when a user is logged in as a
different user. This is a precautionary measure, which forces all
user submitted content to be cleaned of JavaScript before rendering
it to the logged in as user.
  • Loading branch information
ryanwyllie authored and Jenkins committed Mar 5, 2019
1 parent c430bed commit 93dda3b
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 0 deletions.
3 changes: 3 additions & 0 deletions course/loginas.php
Expand Up @@ -79,6 +79,9 @@

// Login as this user and return to course home page.
\core\session\manager::loginas($userid, $context);
// Add a notification to let the logged in as user know that all content will be force cleaned
// while in this session.
\core\notification::info(get_string('sessionforceclean', 'core'));
$newfullname = fullname($USER, true);

$strloginas = get_string('loginas');
Expand Down
1 change: 1 addition & 0 deletions lang/en/moodle.php
Expand Up @@ -1808,6 +1808,7 @@
$string['separateandconnectedinfo'] = 'The scale based on the theory of separate and connected knowing. This theory describes two different ways that we can evaluate and learn about the things we see and hear.<ul><li><strong>Separate knowers</strong> remain as objective as possible without including feelings and emotions. In a discussion with other people, they like to defend their own ideas, using logic to find holes in opponent\'s ideas.</li><li><strong>Connected knowers</strong> are more sensitive to other people. They are skilled at empathy and tend to listen and ask questions until they feel they can connect and "understand things from their point of view". They learn by trying to share the experiences that led to the knowledge they find in other people.</li></ul>';
$string['servererror'] = 'An error occurred whilst communicating with the server';
$string['serverlocaltime'] = 'Server\'s local time';
$string['sessionforceclean'] = 'As a security precaution, user generated scripts have been disabled within this session';
$string['setcategorytheme'] = 'Set category theme';
$string['setpassword'] = 'Set password';
$string['setpasswordinstructions'] = 'Please enter your new password below, then save changes.';
Expand Down
7 changes: 7 additions & 0 deletions lib/moodlelib.php
Expand Up @@ -2757,6 +2757,13 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
// Make sure the USER has a sesskey set up. Used for CSRF protection.
sesskey();

if (\core\session\manager::is_loggedinas()) {
// During a "logged in as" session we should force all content to be cleaned because the
// logged in user will be viewing potentially malicious user generated content.
// See MDL-63786 for more details.
$CFG->forceclean = true;
}

// Do not bother admins with any formalities, except for activities pending deletion.
if (is_siteadmin() && !($cm && $cm->deletioninprogress)) {
// Set the global $COURSE.
Expand Down

2 comments on commit 93dda3b

@minholi
Copy link

@minholi minholi commented on 93dda3b Apr 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to have a configuration to disable this. Teachers may want to view embeded content as the student (our case with embeded youtube videos).

@klorinczi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also welcome this feature merged into core.

Please sign in to comment.