Skip to content
Permalink
Browse files

MDL-63786 core: set $CFG->forceclean for logged in as sessions

Turn on the forceclean config setting when a user is logged in as a
different user. This is a precautionary measure, which forces all
user submitted content to be cleaned of JavaScript before rendering
it to the logged in as user.
  • Loading branch information...
ryanwyllie authored and Jenkins committed Feb 6, 2019
1 parent c430bed commit 93dda3bfd3caaaa8d23fe8ede543f27ef774958d
Showing with 11 additions and 0 deletions.
  1. +3 −0 course/loginas.php
  2. +1 −0 lang/en/moodle.php
  3. +7 −0 lib/moodlelib.php
@@ -79,6 +79,9 @@
// Login as this user and return to course home page.
\core\session\manager::loginas($userid, $context);
// Add a notification to let the logged in as user know that all content will be force cleaned
// while in this session.
\core\notification::info(get_string('sessionforceclean', 'core'));
$newfullname = fullname($USER, true);
$strloginas = get_string('loginas');
@@ -1808,6 +1808,7 @@
$string['separateandconnectedinfo'] = 'The scale based on the theory of separate and connected knowing. This theory describes two different ways that we can evaluate and learn about the things we see and hear.<ul><li><strong>Separate knowers</strong> remain as objective as possible without including feelings and emotions. In a discussion with other people, they like to defend their own ideas, using logic to find holes in opponent\'s ideas.</li><li><strong>Connected knowers</strong> are more sensitive to other people. They are skilled at empathy and tend to listen and ask questions until they feel they can connect and "understand things from their point of view". They learn by trying to share the experiences that led to the knowledge they find in other people.</li></ul>';
$string['servererror'] = 'An error occurred whilst communicating with the server';
$string['serverlocaltime'] = 'Server\'s local time';
$string['sessionforceclean'] = 'As a security precaution, user generated scripts have been disabled within this session';
$string['setcategorytheme'] = 'Set category theme';
$string['setpassword'] = 'Set password';
$string['setpasswordinstructions'] = 'Please enter your new password below, then save changes.';
@@ -2757,6 +2757,13 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
// Make sure the USER has a sesskey set up. Used for CSRF protection.
sesskey();
if (\core\session\manager::is_loggedinas()) {
// During a "logged in as" session we should force all content to be cleaned because the
// logged in user will be viewing potentially malicious user generated content.
// See MDL-63786 for more details.
$CFG->forceclean = true;
}
// Do not bother admins with any formalities, except for activities pending deletion.
if (is_siteadmin() && !($cm && $cm->deletioninprogress)) {
// Set the global $COURSE.

2 comments on commit 93dda3b

@minholi

This comment has been minimized.

Copy link

replied Apr 5, 2019

Would be nice to have a configuration to disable this. Teachers may want to view embeded content as the student (our case with embeded youtube videos).

@klorinczi

This comment has been minimized.

Copy link

replied Apr 5, 2019

I would also welcome this feature merged into core.

Please sign in to comment.
You can’t perform that action at this time.