David Mudrak's blog

Current stable version 2.0.1+

Total of 27 submitted patches for Moodle 2.0 were accepted this week. Eight pull requests were rejected. To highlight some of the accepted patches, Andrew Davis fixed a blocker issue reported by Aaron Cowell causing errors in RSS feeds generated by Moodle (MDL-24870). ♦ Dongsheng Cai fixed a bug in Database activity module’s templates editor (MDL-25671). ♦ Eloy Lafuente prepared an emergency fix of a regression blocking the upgrade at Oracle servers.

Previous stable version 1.9.10+

There is a single accepted patch for Moodle 1.9 from the last week. Eloy Lafuente fixed a regression in Database activity module reported by Paul Nijbakker. Some module functions redirected user to the first record in the database instead of to the correct one (MDL-26052). The second submitted patch for Moodle 1.9 improving inefficient computation of tag correlations had to be rejected because the included SQL statement was not cross-platform and worked under MySQL only (MDL-24355).

Quotes of the week

“I think we need to become serious and start rejecting any commit with [trailing] whitespace.”
– Eloy Lafuente strongly recommends all developers and contributors to set up their IDE properly

“Open source sometimes actually works, even without doing the programming yourself.”
– Sam Marshall knows that reporting a bug is sometimes enough to make the thing fixed

Testing Moodle on various databases

Moodle 2.0 officially supports four major database systems: PostgreSQL, MySQL, MSSQL and Oracle. I have PostgreSQL and MySQL installed on my Linux workstation and I use PostgreSQL 8.3 at the moment as the major platform for the development – simply because I believe that if a code works at PostgreSQL, it is generally more cross-platform than a code that was tested on MySQL. Though there are exceptions, of course.
To help with testing patches related to MSSQL, I decided to set up MSSQL server for me. I have successfully installed and set up MSSQL Server 2008 R2 Express edition. The server runs in a virtual machine on my notebook. I use VirtualBox from Oracle (Yes, Oracle made VirtualBox and we’ve always been at war with Eastasia) networked via a bridge between the Linux host and Windows guest. That allows me to have Moodle installed in my Gentoo being connected to the MSSQL database in Windows via freetds driver. To test the new sqlsrv driver, I downloaded Moodle Windows package to the guest and was able to install it there, too.

Latest stable version 1.9.9+

There are 17 commits into the stable branch from the last development week. Tim Hunt fixed problem with deleting quiz attempts, occurring in quizzes in group mode with a group currently selected (MDL-22847) and two other issues in quiz. Dan Marsden and Piers Harding backported a series of patches from Moodle 2.0. That patches fix various issues in SCORM module (MDL-22332, MDL-22340, MDL-22168, MDL-21333, MDL-17891, MDL-21551, MDL-22741, MDL-21492, MDL-21761, MDL-12834 and MDL-21306).

Future version Moodle 2.0 Preview 3

There were 159 commits into the main development branch in the last week. Microsoft contributed native SQL*Server adapter for their new SQL Server PHP driver (sqlsrv). PHP extension XML-RPC become required for Moodle 2.0 and the prerequisite was set in admin/environment.xml. Moodle uses XML-RPC extension for hub communication, web services and Moodle networking (MNet). There are already first reports from the community that this will be issue with some cheaper web hosting providers and even some core developers are not quite sure about this step, so the decision may not be final yet. On the other hand, Moodle is not trivial application and one should not expect it runs just everywhere (just because of memory requirements, at least).

Quotes of the week

“Loan calculator 2.0! Now with extra mortgage sales! Order now and get 2 licenses of Moodle 2.0 for free.”
– David Mudrak can’t believe the Loan calculator block still survives in standard Moodle distribution

“Eventually there will be unicorns and rainbows and everyone gets a pony.”
– Sam Marshall dreaming about the future when developers would be happy with how Internet Explorer renders Moodle 2.0 pages

Cleaning user input

Sanitizing data inserted by users is a must. Without proper cleaning, data submitted by users could break database integrity or contain SQL injection (and it is not just about hackers, parents are malicious, too). In Moodle, there are two basic functions that every developer MUST use before processing user input. These are required_param() or optional_param(). They both use clean_param() to make sure that the script does not get unwanted values. Developer declares what type the parameter is – for example PARAM_INT for integers, PARAM_BOOL for booleans, PARAM_FILE for safe file name etc. See the top of lib/moodlelib.php for the comprehensive list of them.
In most of cases, clean_param() just uses regular expressions to get rid of invalid characters. Sometimes it returns the original value without the dangerous parts (as in PARAM_ALPHANUM, for example) and sometimes it returns empty value if the parameter does not fit the conditions (as in PARAM_URL that either returns the original value if it is ok, or nothing).
In some cases, just formal syntax check is not enough. For example PARAM_LANG not only checks that the provided value is safe name of the language pack directory (by checking it against PARAM_SAFEDIR internally) but also checks that the given language is actually installed at the site. The same applies to PARAM_CAPABILITY, PARAM_AUTH or PARAM_THEME. As I realized recently (thanks to one of quite frequent discussions with Petr Å koda), this sort of checks must be implemented with extra care and security risks analysis. If clean_param() calls other core functions, we must know exactly what is happening with the value itself during its clean-up, especially when we rely on 3rd party libraries. The point is that parameters are usually checked before the script calls require_login() so that we do not know much about the current user’s rights yet. Therefore, parameter handling functions are potential doors into Moodle core system for anonymous users. Simple checks based on formal syntax rules are generally safer as they keep the request “ante portas” and additional validation can be done later during the script execution, for example when we already know who the user is, what capabilities she/he has, if the combination of all parameters is valid (like the submission, assessment, course module and the course must match).

Post scriptum

Moodle 2.0 translation portal http://lang.moodle.org is up and running in production mode now, language pack maintainers can start translate Moodle 2.0 now. Thank you all for being patient.

As Galadriel said – the world has changed. Just day after Microsoft submitted driver source code for inclusion in the Linux kernel under GNU/GPL license, they have released Microsoft Live Services Plug-in for Moodle – again under GNU/GPL. It seems to me that the Moodle worldwide popularity together with the strict conditions ruled by GNU/GPL forced the software gigant to the next step on their relationships with the open-source movement. NetworkWorld.com comes with a nice overview of Microsoft/open-source milestones (including their patch to ADOdb library for PHP).