diff -Nru moodle-1.9.9.dfsg2/debian/changelog moodle-1.9.9.dfsg2/debian/changelog --- moodle-1.9.9.dfsg2/debian/changelog 2011-10-28 12:29:27.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/changelog 2012-02-27 21:22:15.000000000 +0000 @@ -1,3 +1,24 @@ +moodle (1.9.9.dfsg2-5) unstable; urgency=high + + * Backporting security fixes from Moodle 1.9.15 and 1.9.16 + (closes: #652235) + - MSA-11-0054 Personal information leak + - MSA-11-0045 Potential to masquerade through MNet (CVE-2011-4584) + - MSA-11-0046 Insecure authentication transmission (CVE-2011-4585) + - MSA-11-0047 Possible injection attack in Calendar (CVE-2011-4586) + - MSA-11-0048 Password loss issue (CVE-2011-4587) + - MSA-11-0049 Network restriction ineffective with MNet (CVE-2011-4588) + - MSA-12-0007 Email injection prevention (CVE-2012-0796) + - MSA-12-0006 Additional email address validation (CVE-2012-0795) + - MSA-12-0005 Encryption enhancement (CVE-2012-0794) + - MSA-12-0004 Added profile image security (CVE-2012-0793) + - MSA-12-0003 Added password protection + - MSA-12-0002 Personal information leak, previously MSA-11-0040 + (CVE-2011-4308 and CVE-2012-0792) + - MSA-12-0001 Recaptcha transmission consistency issue + + -- Tomasz Muras Mon, 27 Feb 2012 21:14:48 +0000 + moodle (1.9.9.dfsg2-4) unstable; urgency=high * Backporting security fixes from Moodle 1.9.13 and 1.9.14 diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-11-0045 moodle-1.9.9.dfsg2/debian/patches/MSA-11-0045 --- moodle-1.9.9.dfsg2/debian/patches/MSA-11-0045 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-11-0045 2012-02-24 15:11:31.000000000 +0000 @@ -0,0 +1,52 @@ +commit 408d3ca00035a8b24cc091ec93253e802e268c2d +Author: David Mudrak +Date: Fri Nov 4 10:57:58 2011 +0100 + + MDL-29977 MNet does not allow to start a remote session when masquerading as another user + +diff --git a/auth/mnet/auth.php b/auth/mnet/auth.php +index a35cc8f..cece819 100644 +--- a/auth/mnet/auth.php ++++ b/auth/mnet/auth.php +@@ -170,6 +170,10 @@ class auth_plugin_mnet extends auth_plugin_base { + global $MNET; + require_once $CFG->dirroot . '/mnet/xmlrpc/client.php'; + ++ if (!empty($USER->realuser)) { ++ print_error('notpermittedtojumpas', 'mnet'); ++ } ++ + // check remote login permissions + if (! has_capability('moodle/site:mnetlogintoremote', get_context_instance(CONTEXT_SYSTEM)) + or is_mnet_remote_user($USER) +diff --git a/blocks/mnet_hosts/block_mnet_hosts.php b/blocks/mnet_hosts/block_mnet_hosts.php +index 9363338..c90da58 100644 +--- a/blocks/mnet_hosts/block_mnet_hosts.php ++++ b/blocks/mnet_hosts/block_mnet_hosts.php +@@ -32,6 +32,14 @@ class block_mnet_hosts extends block_list { + return ''; + } + ++ if (!empty($USER->realuser)) { ++ $this->content = new stdClass(); ++ $this->content->items = array(); ++ $this->content->icons = array(); ++ $this->content->footer = get_string('notpermittedtojumpas', 'mnet'); ++ return $this->content; ++ } ++ + // check for outgoing roaming permission first + if (!has_capability('moodle/site:mnetlogintoremote', get_context_instance(CONTEXT_SYSTEM), NULL, false)) { + return ''; +diff --git a/lang/en_utf8/mnet.php b/lang/en_utf8/mnet.php +index 85845e8..b10271e 100644 +--- a/lang/en_utf8/mnet.php ++++ b/lang/en_utf8/mnet.php +@@ -208,6 +208,7 @@ $string['addtoacl'] = 'Add to Access Control'; + $string['accesslevel'] = 'Access Level'; + $string['ssoaccesscontrol'] = 'SSO Access Control'; + $string['notpermittedtojump'] = 'You do not have permission to begin a remote session from this Moodle hub.'; ++$string['notpermittedtojumpas'] = 'You can\'t begin a remote session while you are logged in as another user.'; + $string['notpermittedtoland'] = 'You do not have permission to begin a remote session.'; + $string['authfail_nosessionexists'] = 'Authorisation failed: the mnet session does not exist.'; + $string['authfail_sessiontimedout'] = 'Authorisation failed: the mnet session has timed out.'; diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-11-0046 moodle-1.9.9.dfsg2/debian/patches/MSA-11-0046 --- moodle-1.9.9.dfsg2/debian/patches/MSA-11-0046 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-11-0046 2012-02-24 15:11:31.000000000 +0000 @@ -0,0 +1,56 @@ +commit 01dd64a8c8aa95f793accea371b2392e662663c5 +Author: Rossiani Wijaya +Date: Mon Oct 31 17:28:52 2011 +0800 + + MDL-29092 login/change password: backporting to 1.9 for MDL-26381 and set form action to user https when loginhttps is enable + +diff --git a/login/change_password.php b/login/change_password.php +index d80d590..41d1a7d 100644 +--- a/login/change_password.php ++++ b/login/change_password.php +@@ -4,6 +4,7 @@ + require_once('change_password_form.php'); + + $id = optional_param('id', SITEID, PARAM_INT); // current course ++ $return = optional_param('return', 0, PARAM_BOOL); // redirect after password change + + $strparticipants = get_string('participants'); + +@@ -12,6 +13,19 @@ + + $systemcontext = get_context_instance(CONTEXT_SYSTEM); + ++ if ($return) { ++ // this redirect prevents security warning because https can not POST to http pages ++ if (empty($SESSION->wantsurl) ++ or stripos(str_replace('https://', 'http://', $SESSION->wantsurl), str_replace('https://', 'http://', $CFG->wwwroot.'/login/change_password.php') === 0)) { ++ $returnto = "$CFG->wwwroot/user/view.php?id=$USER->id&course=$id"; ++ } else { ++ $returnto = $SESSION->wantsurl; ++ } ++ unset($SESSION->wantsurl); ++ ++ redirect($returnto); ++ } ++ + if (!$course = get_record('course', 'id', $id)) { + error('No such course!'); + } +@@ -19,7 +33,7 @@ + // require proper login; guest user can not change password + if (empty($USER->id) or isguestuser()) { + if (empty($SESSION->wantsurl)) { +- $SESSION->wantsurl = $CFG->httpswwwroot.'/login/change_password.php'; ++ $SESSION->wantsurl = $CFG->httpswwwroot.'/login/change_password.php?id=' . $id; + } + redirect($CFG->httpswwwroot.'/login/index.php'); + } +@@ -54,7 +68,7 @@ + redirect($changeurl); + } + +- $mform = new login_change_password_form(); ++ $mform = new login_change_password_form($CFG->httpswwwroot . '/login/change_password.php'); + $mform->set_data(array('id'=>$course->id)); + + $navlinks = array(); diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-11-0047 moodle-1.9.9.dfsg2/debian/patches/MSA-11-0047 --- moodle-1.9.9.dfsg2/debian/patches/MSA-11-0047 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-11-0047 2012-02-24 15:11:31.000000000 +0000 @@ -0,0 +1,234 @@ +commit e311b14364719b0f7851149ee51c1a4ec732635e +Author: Petr Skoda +Date: Fri Oct 28 18:36:43 2011 +0200 + + MDL-29925 fix calendar parameter handling + +diff --git a/calendar/event.php b/calendar/event.php +index ce524b1..5325aa4 100644 +--- a/calendar/event.php ++++ b/calendar/event.php +@@ -49,9 +49,9 @@ + $eventid = optional_param('id', 0, PARAM_INT); + $eventtype = optional_param('type', 'select', PARAM_ALPHA); + $urlcourse = optional_param('course', 0, PARAM_INT); +- $cal_y = optional_param('cal_y'); +- $cal_m = optional_param('cal_m'); +- $cal_d = optional_param('cal_d'); ++ $cal_y = optional_param('cal_y', 0, PARAM_INT); ++ $cal_m = optional_param('cal_m', 0, PARAM_INT); ++ $cal_d = optional_param('cal_d', 0, PARAM_INT); + + if(isguest()) { + // Guests cannot do anything with events +diff --git a/calendar/set.php b/calendar/set.php +index 0893605..ce86b75 100644 +--- a/calendar/set.php ++++ b/calendar/set.php +@@ -41,15 +41,14 @@ + require_once('../config.php'); + require_once($CFG->dirroot.'/calendar/lib.php'); + +- $from = required_param('from'); +- $var = required_param('var'); +- $value = optional_param('value'); +- $id = optional_param('id'); +- $cal_d = optional_param('cal_d'); +- $cal_m = optional_param('cal_m'); +- $cal_y = optional_param('cal_y'); +- $action = optional_param('action'); +- $type = optional_param('type'); ++ $from = required_param('from', PARAM_ALPHA); ++ $var = required_param('var', PARAM_ALPHA); ++ $id = optional_param('id', 0, PARAM_INT); ++ $cal_d = optional_param('cal_d', 0, PARAM_INT); ++ $cal_m = optional_param('cal_m', 0, PARAM_INT); ++ $cal_y = optional_param('cal_y', 0, PARAM_INT); ++ $action = optional_param('action', '', PARAM_ALPHA); ++ $type = optional_param('type', '', PARAM_ALPHA); + + // Initialize the session variables + calendar_session_vars(); +@@ -107,7 +106,7 @@ + + switch($from) { + case 'event': +- redirect(CALENDAR_URL.'event.php?action='.$action.'&type='.$type.'&id='.intval($id)); ++ redirect(CALENDAR_URL.'event.php?action='.$action.'&type='.$type.'&id='.$id); + break; + case 'month': + redirect(CALENDAR_URL.'view.php?view=month'.$courseid.'&cal_d='.$cal_d.'&cal_m='.$cal_m.'&cal_y='.$cal_y); +@@ -119,7 +118,7 @@ + redirect(CALENDAR_URL.'view.php?view=day'.$courseid.'&cal_d='.$cal_d.'&cal_m='.$cal_m.'&cal_y='.$cal_y); + break; + case 'course': +- redirect($CFG->wwwroot.'/course/view.php?id='.intval($id)); ++ redirect($CFG->wwwroot.'/course/view.php?id='.$id); + break; + default: + +diff --git a/calendar/view.php b/calendar/view.php +index b3245b1..0bcdb5d 100644 +--- a/calendar/view.php ++++ b/calendar/view.php +@@ -426,7 +426,7 @@ function calendar_show_month_detailed($m, $y, $courses, $groups, $users, $course + } + + // Now display all the calendar +- for($day = 1; $day <= $display->maxdays; ++$day, ++$dayweek) { ++ for($aday = 1; $aday <= $display->maxdays; ++$aday, ++$dayweek) { + if($dayweek > $display->maxwday) { + // We need to change week (table row) + echo "\n"; +@@ -436,7 +436,7 @@ function calendar_show_month_detailed($m, $y, $courses, $groups, $users, $course + + // Reset vars + $cell = ''; +- $dayhref = calendar_get_link_href(CALENDAR_URL.'view.php?view=day&course='.$courseid.'&', $day, $m, $y); ++ $dayhref = calendar_get_link_href(CALENDAR_URL.'view.php?view=day&course='.$courseid.'&', $aday, $m, $y); + + if(CALENDAR_WEEKEND & (1 << ($dayweek % 7))) { + // Weekend. This is true no matter what the exact range is. +@@ -448,35 +448,35 @@ function calendar_show_month_detailed($m, $y, $courses, $groups, $users, $course + } + + // Special visual fx if an event is defined +- if(isset($eventsbyday[$day])) { +- if(count($eventsbyday[$day]) == 1) { ++ if(isset($eventsbyday[$aday])) { ++ if(count($eventsbyday[$aday]) == 1) { + $title = get_string('oneevent', 'calendar'); + } + else { +- $title = get_string('manyevents', 'calendar', count($eventsbyday[$day])); ++ $title = get_string('manyevents', 'calendar', count($eventsbyday[$aday])); + } +- $cell = '
'.$day.'
'; ++ $cell = '
'.$aday.'
'; + } + else { +- $cell = '
'.$day.'
'; ++ $cell = '
'.$aday.'
'; + } + + // Special visual fx if an event spans many days +- if(isset($typesbyday[$day]['durationglobal'])) { ++ if(isset($typesbyday[$aday]['durationglobal'])) { + $class .= ' duration_global'; + } +- else if(isset($typesbyday[$day]['durationcourse'])) { ++ else if(isset($typesbyday[$aday]['durationcourse'])) { + $class .= ' duration_course'; + } +- else if(isset($typesbyday[$day]['durationgroup'])) { ++ else if(isset($typesbyday[$aday]['durationgroup'])) { + $class .= ' duration_group'; + } +- else if(isset($typesbyday[$day]['durationuser'])) { ++ else if(isset($typesbyday[$aday]['durationuser'])) { + $class .= ' duration_user'; + } + + // Special visual fx for today +- if($display->thismonth && $day == $d) { ++ if($display->thismonth && $aday == $d) { + $class .= ' today'; + } else { + $class .= ' nottoday'; +@@ -488,9 +488,9 @@ function calendar_show_month_detailed($m, $y, $courses, $groups, $users, $course + } + echo ''.$cell; + +- if(isset($eventsbyday[$day])) { ++ if(isset($eventsbyday[$aday])) { + echo '
    '; +- foreach($eventsbyday[$day] as $eventindex) { ++ foreach($eventsbyday[$aday] as $eventindex) { + + // If event has a class set then add it to the event
  • tag + $eventclass = ''; +@@ -502,9 +502,9 @@ function calendar_show_month_detailed($m, $y, $courses, $groups, $users, $course + } + echo '
'; + } +- if(isset($durationbyday[$day])) { ++ if(isset($durationbyday[$aday])) { + echo '
    '; +- foreach($durationbyday[$day] as $eventindex) { ++ foreach($durationbyday[$aday] as $eventindex) { + echo '
  • ['.format_string($events[$eventindex]->name,true).']
    • '; + } + echo '
'; +diff --git a/lib/weblib.php b/lib/weblib.php +index 78a7ad2..36271fc 100644 +--- a/lib/weblib.php ++++ b/lib/weblib.php +@@ -6203,8 +6203,35 @@ function redirect($url, $message='', $delay=-1) { + + $message = clean_text($message); + ++ // Technically, HTTP/1.1 requires Location: header to contain the absolute path. ++ // (In practice browsers accept relative paths - but still, might as well do it properly.) ++ // This code turns relative into absolute. ++ if (!preg_match('|^[a-z]+:|', $url)) { ++ // Get host name http://www.wherever.com ++ $hostpart = preg_replace('|^(.*?[^:/])/.*$|', '$1', $CFG->wwwroot); ++ if (preg_match('|^/|', $url)) { ++ // URLs beginning with / are relative to web server root so we just add them in ++ $url = $hostpart.$url; ++ } else { ++ // URLs not beginning with / are relative to path of current script, so add that on. ++ $url = $hostpart.preg_replace('|\?.*$|','',me()).'/../'.$url; ++ } ++ // Replace all ..s ++ while (true) { ++ $newurl = preg_replace('|/(?!\.\.)[^/]*/\.\./|', '/', $url); ++ if ($newurl == $url) { ++ break; ++ } ++ $url = $newurl; ++ } ++ } ++ ++ // Sanitise url - we can not rely on our URL cleaning ++ // because it does not support all valid external URLs ++ $url = preg_replace('/[\x00-\x1F\x7F]/', '', $url); ++ $url = str_replace('"', '%22', $url); + $encodedurl = preg_replace("/\&(?![a-zA-Z0-9#]{1,8};)/", "&", $url); +- $encodedurl = preg_replace('/^.*href="([^"]*)".*$/', "\\1", clean_text('')); ++ $encodedurl = preg_replace('/^.*href="([^"]*)".*$/', "\\1", clean_text('', FORMAT_HTML)); + $url = str_replace('&', '&', $encodedurl); + + /// At developer debug level. Don't redirect if errors have been printed on screen. +@@ -6226,31 +6253,6 @@ function redirect($url, $message='', $delay=-1) { + + /// when no message and header printed yet, try to redirect + if (empty($message) and !defined('HEADER_PRINTED')) { +- +- // Technically, HTTP/1.1 requires Location: header to contain +- // the absolute path. (In practice browsers accept relative +- // paths - but still, might as well do it properly.) +- // This code turns relative into absolute. +- if (!preg_match('|^[a-z]+:|', $url)) { +- // Get host name http://www.wherever.com +- $hostpart = preg_replace('|^(.*?[^:/])/.*$|', '$1', $CFG->wwwroot); +- if (preg_match('|^/|', $url)) { +- // URLs beginning with / are relative to web server root so we just add them in +- $url = $hostpart.$url; +- } else { +- // URLs not beginning with / are relative to path of current script, so add that on. +- $url = $hostpart.preg_replace('|\?.*$|','',me()).'/../'.$url; +- } +- // Replace all ..s +- while (true) { +- $newurl = preg_replace('|/(?!\.\.)[^/]*/\.\./|', '/', $url); +- if ($newurl == $url) { +- break; +- } +- $url = $newurl; +- } +- } +- + $delay = 0; + //try header redirection first + @header($_SERVER['SERVER_PROTOCOL'] . ' 303 See Other'); //302 might not work for POST requests, 303 is ignored by obsolete clients diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-11-0048 moodle-1.9.9.dfsg2/debian/patches/MSA-11-0048 --- moodle-1.9.9.dfsg2/debian/patches/MSA-11-0048 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-11-0048 2012-02-24 15:11:31.000000000 +0000 @@ -0,0 +1,30 @@ +commit e079e82c087becf06d902089d14f3f76686bde19 +Author: Ankit Kumar Agarwal +Date: Thu Nov 10 13:46:43 2011 +0530 + + MDL-29893 Fixing issues with password generation function + +diff --git a/lib/moodlelib.php b/lib/moodlelib.php +index fee5324..b5ea458 100644 +--- a/lib/moodlelib.php ++++ b/lib/moodlelib.php +@@ -8725,12 +8725,17 @@ function generate_password($maxlen=10) { + $filler1 = $fillers[rand(0, strlen($fillers) - 1)]; + $password = $word1 . $filler1 . $word2; + } else { +- $maxlen = !empty($CFG->minpasswordlength) ? $CFG->minpasswordlength : 0; ++ $minlen = !empty($CFG->minpasswordlength) ? $CFG->minpasswordlength : 0; + $digits = $CFG->minpassworddigits; + $lower = $CFG->minpasswordlower; + $upper = $CFG->minpasswordupper; + $nonalphanum = $CFG->minpasswordnonalphanum; +- $additional = $maxlen - ($lower + $upper + $digits + $nonalphanum); ++ $total = $lower + $upper + $digits + $nonalphanum; ++ // minlength should be the greater one of the two ( $minlen and $total ) ++ $minlen = $minlen < $total ? $total : $minlen; ++ // maxlen can never be smaller than minlen ++ $maxlen = $minlen > $maxlen ? $minlen : $maxlen; ++ $additional = $maxlen - $total; + + // Make sure we have enough characters to fulfill + // complexity requirements diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-11-0049 moodle-1.9.9.dfsg2/debian/patches/MSA-11-0049 --- moodle-1.9.9.dfsg2/debian/patches/MSA-11-0049 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-11-0049 2012-02-24 15:11:31.000000000 +0000 @@ -0,0 +1,23 @@ +commit 3ab2851d2a59721445945d0706c58092e07e861e +Author: Patrick Mcneill +Date: Thu Nov 10 10:10:49 2011 +0530 + + MDL-29551 Fixing ip_in_range function + +diff --git a/mnet/lib.php b/mnet/lib.php +index 060204c..94d4b86 100644 +--- a/mnet/lib.php ++++ b/mnet/lib.php +@@ -412,10 +412,10 @@ function ip_in_range($address, $network, $mask) { + $lnetwork = ip2long($network); + $laddress = ip2long($address); + +- $binnet = str_pad( decbin($lnetwork),32,"0","STR_PAD_LEFT" ); ++ $binnet = str_pad( decbin($lnetwork), 32, "0", STR_PAD_LEFT ); + $firstpart = substr($binnet,0,$mask); + +- $binip = str_pad( decbin($laddress),32,"0","STR_PAD_LEFT" ); ++ $binip = str_pad( decbin($laddress), 32, "0", STR_PAD_LEFT ); + $firstip = substr($binip,0,$mask); + return(strcmp($firstpart,$firstip)==0); + } diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-11-0054 moodle-1.9.9.dfsg2/debian/patches/MSA-11-0054 --- moodle-1.9.9.dfsg2/debian/patches/MSA-11-0054 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-11-0054 2012-02-24 15:11:31.000000000 +0000 @@ -0,0 +1,50 @@ +commit 8f83cfbe914b501d8d419ba10f0063c0f0a6ee5f +Author: adrian@moodle.com +Date: Tue Nov 15 09:52:03 2011 +0800 + + MDL-20627 user - Fixed viewing permission of email when sending group messages. + +diff --git a/lang/en_utf8/moodle.php b/lang/en_utf8/moodle.php +index 55cc552..0d8c27b 100644 +--- a/lang/en_utf8/moodle.php ++++ b/lang/en_utf8/moodle.php +@@ -503,6 +503,7 @@ $string['emaildisable'] = 'This email address is disabled'; + $string['emaildisableclick'] = 'Click here to disable all email from being sent to this address'; + $string['emaildisplay'] = 'Email display'; + $string['emaildisplaycourse'] = 'Allow only other course members to see my email address'; ++$string['emaildisplayhidden'] = 'Email hidden'; + $string['emaildisplayno'] = 'Hide my email address from everyone'; + $string['emaildisplayyes'] = 'Allow everyone to see my email address'; + $string['emailenable'] = 'This email address is enabled'; +diff --git a/user/message.html b/user/message.html +index ab51aa0..eaafa14 100644 +--- a/user/message.html ++++ b/user/message.html +@@ -56,7 +56,13 @@ + $course->teacher = get_string('defaultcourseteacher'); + } + foreach ($SESSION->emailto[$id] as $user) { +- echo ''.fullname($user,true).''.$user->email.''; ++ echo ''.fullname($user,true).''; ++ // Check to see if we should be showing the email address. ++ if ($user->maildisplay == 0 ) { // 0 = don't display my email to anyone. ++ echo '' . get_string('emaildisplayhidden') . ''; ++ } else { ++ echo ''.$user->email.''; ++ } + if ($user->teacher) { + echo ''.$course->teacher.''; + } +diff --git a/user/messageselect.php b/user/messageselect.php +index 059598e..d79cd0f 100644 +--- a/user/messageselect.php ++++ b/user/messageselect.php +@@ -46,7 +46,7 @@ + foreach ($_POST as $k => $v) { + if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) { + if (!array_key_exists($m[2],$SESSION->emailto[$id])) { +- if ($user = get_record_select('user','id = '.$m[2],'id,firstname,lastname,idnumber,email,emailstop,mailformat,lastaccess')) { ++ if ($user = get_record_select('user','id = '.$m[2],'id,firstname,lastname,idnumber,email,emailstop,mailformat,lastaccess,maildisplay')) { + $SESSION->emailto[$id][$m[2]] = $user; + $SESSION->emailto[$id][$m[2]]->teacher = ($m[1] == 'teacher'); + $count++; diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0001 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0001 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0001 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0001 2012-02-27 20:41:15.000000000 +0000 @@ -0,0 +1,28 @@ +commit c3056feed85bf7ea11c829e8756f521e50580abb +Author: Petr Skoda +Date: Tue Dec 6 11:44:13 2011 +0100 + + MDL-27364 use https for recaptcha when site runs via https + + Based on solution by Rajesh Taneja. + +diff --git a/lib/form/recaptcha.php b/lib/form/recaptcha.php +index 7cbc830..9b0fc2a 100644 +--- a/lib/form/recaptcha.php ++++ b/lib/form/recaptcha.php +@@ -33,10 +33,13 @@ class MoodleQuickForm_recaptcha extends HTML_QuickForm_input { + * + */ + function MoodleQuickForm_recaptcha($elementName = null, $elementLabel = null, $attributes = null) { ++ global $CFG; + parent::HTML_QuickForm_input($elementName, $elementLabel, $attributes); + $this->_type = 'recaptcha'; +- if (!empty($attributes['https'])) { +- $this->_https = $attributes['https']; ++ if (!empty($attributes['https']) or strpos($CFG->httpswwwroot, 'https:') === 0) { ++ $this->_https = true; ++ } else { ++ $this->_https = false; + } + } + diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0002 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0002 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0002 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0002 2012-02-27 20:41:15.000000000 +0000 @@ -0,0 +1,99 @@ +commit 36b0ddeed45d0751508dcd9fa50f17fda43bae54 +Author: Sam Hemelryk +Date: Tue Dec 6 16:05:49 2011 +1300 + + MDL-30012 mod_forum: Fixed bug in forum user script + +diff --git a/mod/forum/user.php b/mod/forum/user.php +index 5d71002..d25fbf6 100644 +--- a/mod/forum/user.php ++++ b/mod/forum/user.php +@@ -40,6 +40,50 @@ + die; + } + ++ switch ($mode) { ++ case 'posts' : ++ $searchterms = array('userid:'.$user->id); ++ $extrasql = ''; ++ break; ++ ++ default: ++ $searchterms = array('userid:'.$user->id); ++ $extrasql = 'AND p.parent = 0'; ++ break; ++ } ++ if ($course->id == SITEID) { ++ if (empty($CFG->forceloginforprofiles) || isloggedin()) { ++ // Search throughout the whole site. ++ $searchcourse = 0; ++ } else { ++ $searchcourse = SITEID; ++ } ++ } else { ++ // Search only for posts the user made in this course. ++ $searchcourse = $course->id; ++ } ++ ++ $posts = forum_search_posts($searchterms, $searchcourse, $page*$perpage, $perpage, $totalcount, $extrasql); ++ ++ $hasposts = !empty($posts); ++ $iscurrentuser = $user->id == $USER->id; ++ $specificcourseprovided = !empty($searchcourse) && $searchcourse != SITEID; ++ if (!$hasposts && !$iscurrentuser && !$specificcourseprovided) { ++ $mustlogin = (!isloggedin() && $CFG->forceloginforprofiles); ++ $canviewtheuser = (isloggedin() && has_capability('moodle/user:viewdetails', $usercontext)); ++ if ($mustlogin || (!isteacherinanycourse() && !isteacherinanycourse($user->id) && !$canviewtheuser)) { ++ // Best to assume that the current user cannot view the requested user ++ // so we are careful not to give out any information. ++ print_header(); ++ print_heading(get_string('noposts', 'forum')); ++ print_footer(); ++ exit; ++ } else { ++ // Nothing to check here. If a course has been specified then require_course_login ++ // has been called OR the current user is a parent of the requested user. ++ } ++ } ++ + add_to_log($course->id, "forum", "user report", + "user.php?course=$course->id&id=$user->id&mode=$mode", "$user->id"); + +@@ -65,36 +109,10 @@ + $showroles = 1; + include($CFG->dirroot.'/user/tabs.php'); /// Prints out tabs as part of user page + +- +- switch ($mode) { +- case 'posts' : +- $searchterms = array('userid:'.$user->id); +- $extrasql = ''; +- break; +- +- default: +- $searchterms = array('userid:'.$user->id); +- $extrasql = 'AND p.parent = 0'; +- break; +- } +- + echo '
'; + +- if ($course->id == SITEID) { +- if (empty($CFG->forceloginforprofiles) || isloggedin()) { +- // Search throughout the whole site. +- $searchcourse = 0; +- } else { +- $searchcourse = SITEID; +- } +- } else { +- // Search only for posts the user made in this course. +- $searchcourse = $course->id; +- } +- + // Get the posts. +- if ($posts = forum_search_posts($searchterms, $searchcourse, $page*$perpage, $perpage, +- $totalcount, $extrasql)) { ++ if ($posts) { + + print_paging_bar($totalcount, $page, $perpage, + "user.php?id=$user->id&course=$course->id&mode=$mode&perpage=$perpage&"); diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0003 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0003 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0003 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0003 2012-02-27 20:41:15.000000000 +0000 @@ -0,0 +1,62 @@ +commit 630fc6ee7ead7345d15d0fbe048cd626a119825c +Author: adrian@moodle.com +Date: Thu Dec 8 09:21:15 2011 +0800 + + MDL-30336 - login - Added a setting in security that allows auto complete to be set to off in password fields. + +diff --git a/admin/settings/security.php b/admin/settings/security.php +index 7ab02e1..4f2a038 100644 +--- a/admin/settings/security.php ++++ b/admin/settings/security.php +@@ -67,6 +67,7 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page + $temp->add(new admin_setting_configcheckbox('cookiehttponly', get_string('cookiehttponly', 'admin'), get_string('configcookiehttponly', 'admin'), 0)); + $temp->add(new admin_setting_configcheckbox('regenloginsession', get_string('regenloginsession', 'admin'), get_string('configregenloginsession', 'admin'), 1)); + $temp->add(new admin_setting_configtext('excludeoldflashclients', get_string('excludeoldflashclients', 'admin'), get_string('configexcludeoldflashclients', 'admin'), '10.0.12', PARAM_TEXT)); ++ $temp->add(new admin_setting_configcheckbox('loginpasswordautocomplete', get_string('loginpasswordautocomplete', 'admin'), get_string('loginpasswordautocomplete_help', 'admin'), 0)); + $ADMIN->add('security', $temp); + + +diff --git a/blocks/login/block_login.php b/blocks/login/block_login.php +index d203c4b..44b174b 100644 +--- a/blocks/login/block_login.php ++++ b/blocks/login/block_login.php +@@ -49,7 +49,12 @@ class block_login extends block_base { + $this->content->text .= '
'; + + $this->content->text .= '
'; +- $this->content->text .= '
'; ++ ++ if (!empty($CFG->loginpasswordautocomplete)) { ++ $this->content->text .= ''; ++ } else { ++ $this->content->text .= ''; ++ } + + $this->content->text .= '
'; + +diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php +index 7d6a64a..915064e 100644 +--- a/lang/en_utf8/admin.php ++++ b/lang/en_utf8/admin.php +@@ -493,6 +493,8 @@ $string['location'] = 'Location'; + $string['locationsettings'] = 'Location settings'; + $string['log'] = 'Logs'; + $string['loginhttps'] = 'Use HTTPS for logins'; ++$string['loginpasswordautocomplete'] = 'Prevent password autocompletion on login form.'; ++$string['loginpasswordautocomplete_help'] = 'Having this off will let users save their account password in their browser. Switching this setting on will result in your site no longer following XHTML strict validation rules.'; + $string['loglifetime'] = 'Keep logs for'; + $string['longtimenosee'] = 'Unsubscribe users from courses after'; + $string['longtimewarning'] = 'Please note that this process can take a long time.'; +diff --git a/login/index_form.html b/login/index_form.html +index c1ff040..620fe81 100644 +--- a/login/index_form.html ++++ b/login/index_form.html +@@ -35,7 +35,7 @@ if ($show_instructions) { +
+
+
+- ++ loginpasswordautocomplete)) {echo 'autocomplete="off"';} ?> /> + " /> + +
diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0004 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0004 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0004 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0004 2012-02-27 21:10:30.000000000 +0000 @@ -0,0 +1,48 @@ +commit 4ed11995247b47033d4cd58eb75bc7101a431ef5 +Author: Rajesh Taneja +Date: Tue Jan 3 13:48:24 2012 +0800 + + MDL-29844 Administration: Added new config for users to login for viewing profile image + +diff --git a/admin/settings/security.php b/admin/settings/security.php +index 4f2a038..58a233d 100644 +--- a/admin/settings/security.php ++++ b/admin/settings/security.php +@@ -8,6 +8,7 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page + $temp->add(new admin_setting_configcheckbox('protectusernames', get_string('protectusernames', 'admin'), get_string('configprotectusernames', 'admin'), 1)); + $temp->add(new admin_setting_configcheckbox('forcelogin', get_string('forcelogin', 'admin'), get_string('configforcelogin', 'admin'), 0)); + $temp->add(new admin_setting_configcheckbox('forceloginforprofiles', get_string('forceloginforprofiles', 'admin'), get_string('configforceloginforprofiles', 'admin'), 1)); ++ $temp->add(new admin_setting_configcheckbox('forceloginforprofileimage', get_string('forceloginforprofileimage', 'admin'), get_string('forceloginforprofileimage_help', 'admin'), 0)); + $temp->add(new admin_setting_configcheckbox('opentogoogle', get_string('opentogoogle', 'admin'), get_string('configopentogoogle', 'admin'), 0)); + + $max_upload_choices = get_max_upload_sizes(); +diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php +index 915064e..6f88a99 100644 +--- a/lang/en_utf8/admin.php ++++ b/lang/en_utf8/admin.php +@@ -396,6 +396,8 @@ $string['filtersettings'] = 'Manage filters'; + $string['filtersettingsgeneral'] = 'General filter settings'; + $string['filteruploadedfiles'] = 'Filter uploaded files'; + $string['forcelogin'] = 'Force users to login'; ++$string['forceloginforprofileimage'] = 'Force users to login to view user pictures'; ++$string['forceloginforprofileimage_help'] = 'If enabled, users must login in order to view user profile pictures and the default user picture will be used in all notification emails.'; + $string['forceloginforprofiles'] = 'Force users to login for profiles'; + $string['forcetimezone'] = 'Force default timezone'; + $string['framename'] = 'Frame name'; +diff --git a/user/pix.php b/user/pix.php +index d37d18b..fa0365c 100644 +--- a/user/pix.php ++++ b/user/pix.php +@@ -6,8 +6,10 @@ + require_once('../config.php'); + require_once($CFG->libdir.'/filelib.php'); + +- if (!empty($CFG->forcelogin) and !isloggedin()) { ++ if ((!empty($CFG->forcelogin) and !isloggedin()) || ++ (!empty($CFG->forceloginforprofileimage) && (!isloggedin() || isguestuser()))) { + // protect images if login required and not logged in; ++ // also if login is required for profile images and is not logged in or guest + // do not use require_login() because it is expensive and not suitable here anyway + redirect($CFG->pixpath.'/u/f1.png'); + } + diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0005 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0005 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0005 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0005 2012-02-27 20:41:15.000000000 +0000 @@ -0,0 +1,28 @@ +commit 75366c60ff24436aff7e0daa02fb1d46c03ac47d +Author: adrian@moodle.com +Date: Fri Dec 2 16:33:25 2011 +0800 + + MDL-28948 - lib - removed the hard coded key for the rc4encryt function. + +diff --git a/lib/moodlelib.php b/lib/moodlelib.php +index 3711b5f..bde71c2 100644 +--- a/lib/moodlelib.php ++++ b/lib/moodlelib.php +@@ -6029,7 +6029,7 @@ function get_list_of_currencies() { + * @todo Finish documenting this function + */ + function rc4encrypt($data) { +- $password = 'nfgjeingjk'; ++ $password = get_site_identifier(); + return endecrypt($password, $data, ''); + } + +@@ -6041,7 +6041,7 @@ function rc4encrypt($data) { + * @todo Finish documenting this function + */ + function rc4decrypt($data) { +- $password = 'nfgjeingjk'; ++ $password = get_site_identifier(); + return endecrypt($password, $data, 'de'); + } + diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0006 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0006 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0006 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0006 2012-02-27 20:41:15.000000000 +0000 @@ -0,0 +1,19 @@ +commit f88a9ef3fb3fdd2a796a8ff4471fc8c6e9093b78 +Author: Petr Skoda +Date: Mon Jan 2 23:25:38 2012 +0100 + + MDL-13572 do not send messages to invalid addresses + +diff --git a/message/lib.php b/message/lib.php +index 4722a15..b9c7aed 100644 +--- a/message/lib.php ++++ b/message/lib.php +@@ -996,7 +996,7 @@ function message_post_message($userfrom, $userto, $message, $format, $messagetyp + $messagehtml = NULL; + } + +- if (!empty($preference->message_emailaddress)) { ++ if (!empty($preference->message_emailaddress) and validate_email($preference->message_emailaddress)) { + $userto->email = $preference->message_emailaddress; // Use custom messaging address + } + diff -Nru moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 --- moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 1970-01-01 00:00:00.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/MSA-12-0007 2012-02-27 21:12:00.000000000 +0000 @@ -0,0 +1,61 @@ +commit 1501cc8cea9ecc316e354250cc9aed0894e3433f +Author: Petr Skoda +Date: Sun Dec 11 23:42:32 2011 +0100 + + MDL-30575 yet more mail header cleanup + +diff --git a/lib/phpmailer/class.phpmailer.php b/lib/phpmailer/class.phpmailer.php +index d5ccc70..53d3668 100644 +--- a/lib/phpmailer/class.phpmailer.php ++++ b/lib/phpmailer/class.phpmailer.php +@@ -653,11 +653,11 @@ class PHPMailer + */ + function AddrFormat($addr) { + if(empty($addr[1])) +- $formatted = $addr[0]; ++ $formatted = preg_replace('/[\r\n]+/', '', $addr[0]); // Moodle modification + else + { +- $formatted = $this->EncodeHeader($addr[1], 'phrase') . " <" . +- $addr[0] . ">"; ++ $formatted = $this->EncodeHeader($addr[1], 'phrase') . " <" . ++ preg_replace('/[\r\n]+/', '', $addr[0]) . ">"; // Moodle modification + } + + return $formatted; +@@ -780,9 +780,9 @@ class PHPMailer + + $result .= $this->HeaderLine("Date", $this->RFCDate()); + if($this->Sender == "") +- $result .= $this->HeaderLine("Return-Path", trim($this->From)); ++ $result .= $this->HeaderLine("Return-Path", trim(preg_replace('/[\r\n]+/', '', $this->From))); // Moodle modification + else +- $result .= $this->HeaderLine("Return-Path", trim($this->Sender)); ++ $result .= $this->HeaderLine("Return-Path", trim(preg_replace('/[\r\n]+/', '', $this->Sender))); // Moodle modification + + // To be created automatically by mail() + if($this->Mailer != "mail") +commit a9e3abe0b437d449a044f1e059a5d0f29601f335 +Author: Petr Skoda +Date: Sat Dec 10 18:21:35 2011 +0100 + + MDL-30575 more mail header cleanup + +@@ -1190,7 +1190,10 @@ class PHPMailer + */ + function EncodeHeader ($str, $position = 'text') { + +- /// Start Moodle Hack - do our own multibyte-safe header encoding ++ /// Start Moodle Hack - do our own multibyte-safe header encoding and cleanup ++ $str = str_replace("\r", '', $str); ++ $str = str_replace("\n", '', $str); ++ + $textlib = textlib_get_instance(); + $encoded = $textlib->encode_mimeheader($str, $this->CharSet); + if ($encoded !== false) { +commit a9e3abe0b437d449a044f1e059a5d0f29601f335 +Author: Petr Skoda +Date: Sat Dec 10 18:21:35 2011 +0100 + + MDL-30575 more mail header cleanup + diff -Nru moodle-1.9.9.dfsg2/debian/patches/series moodle-1.9.9.dfsg2/debian/patches/series --- moodle-1.9.9.dfsg2/debian/patches/series 2011-10-27 21:28:10.000000000 +0000 +++ moodle-1.9.9.dfsg2/debian/patches/series 2012-02-27 20:47:11.000000000 +0000 @@ -19,3 +19,16 @@ MDL-29033 MDL-29148 MDL-29311 +MSA-11-0045 +MSA-11-0046 +MSA-11-0047 +MSA-11-0048 +MSA-11-0049 +MSA-11-0054 +MSA-12-0001 +MSA-12-0002 +MSA-12-0003 +MSA-12-0004 +MSA-12-0005 +MSA-12-0006 +MSA-12-0007