MDL-18552 TeX filter - blacklist unsecure commands + protect texdebug ; merged from 19_STABLE

2025-01-18 05:58:34 +01:00 · 2009-03-26 19:17:25 +00:00 · 2009-03-26 19:17:25 +00:00 · e42398e409
commit e42398e409
parent a774767903
2 changed files with 26 additions and 2 deletions
--- a/filter/tex/filter.php
+++ b/filter/tex/filter.php
@ -137,6 +137,16 @@ class tex_filter extends filter_base {
            $text = str_replace($matches[0][$i],$replacement,$text);
        }

+        // TeX blacklist. MDL-18552
+        $tex_blacklist = array(
+            'include','def','command','loop','repeat','open','toks','output',
+            'input','catcode','name','^^',
+            '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
+            '\batchmode','\read','\write','csname','\newhelp','\uppercase',
+            '\lowercase','\relax','\aftergroup',
+            '\afterassignment','\expandafter','\noexpand','\special'
+        );
+
        // <tex> TeX expression </tex>
        // or <tex alt="My alternative text to be used instead of the TeX form"> TeX expression </tex>
        // or $$ TeX expression $$
@ -159,6 +169,19 @@ class tex_filter extends filter_base {
              $align = "text-top";
              $texexp = preg_replace('/^align=top /','',$texexp);
            }
+        /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
+            $invalidcommands = array();
+            foreach($tex_blacklist as $command) {
+                if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
+                    $invalidcommands[] = $command;
+                }
+            }
+            if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
+                $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
+                $text = str_replace( $matches[0][$i], $invalidstr, $text);
+                continue;
+            }
+        /// Everything is ok, let's process the expression
            $md5 = md5($texexp);
            if (! $texcache = $DB->get_record("cache_filters", array("filter"=>"tex", "md5key"=>$md5))) {
                $texcache->filter = 'tex';
--- a/filter/tex/texdebug.php
+++ b/filter/tex/texdebug.php
@ -3,8 +3,6 @@
      // If not, it obtains the corresponding TeX expression from the cache_tex db table
      // and uses mimeTeX to create the image file

-    define('NO_MOODLE_COOKIES', true); // Because it interferes with caching
-
    require_once("../../config.php");

    if (empty($CFG->textfilters)) {
@ -23,6 +21,9 @@
    $action = optional_param('action', '', PARAM_ALPHA);
    $texexp = optional_param('tex', '', PARAM_RAW);

+    require_login();
+    require_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $USER->id); /// Required cap to run this. MDL-18552
+
    $query = urldecode($_SERVER['QUERY_STRING']);
    error_reporting(E_ALL);
    $output = '';