David Mudrak's blog

Latest stable version 1.9.9+

There are 17 commits into the stable branch from the last development week. Tim Hunt fixed problem with deleting quiz attempts, occurring in quizzes in group mode with a group currently selected (MDL-22847) and two other issues in quiz. Dan Marsden and Piers Harding backported a series of patches from Moodle 2.0. That patches fix various issues in SCORM module (MDL-22332, MDL-22340, MDL-22168, MDL-21333, MDL-17891, MDL-21551, MDL-22741, MDL-21492, MDL-21761, MDL-12834 and MDL-21306).

Future version Moodle 2.0 Preview 3

There were 159 commits into the main development branch in the last week. Microsoft contributed native SQL*Server adapter for their new SQL Server PHP driver (sqlsrv). PHP extension XML-RPC become required for Moodle 2.0 and the prerequisite was set in admin/environment.xml. Moodle uses XML-RPC extension for hub communication, web services and Moodle networking (MNet). There are already first reports from the community that this will be issue with some cheaper web hosting providers and even some core developers are not quite sure about this step, so the decision may not be final yet. On the other hand, Moodle is not trivial application and one should not expect it runs just everywhere (just because of memory requirements, at least).

Quotes of the week

“Loan calculator 2.0! Now with extra mortgage sales! Order now and get 2 licenses of Moodle 2.0 for free.”
– David Mudrak can’t believe the Loan calculator block still survives in standard Moodle distribution

“Eventually there will be unicorns and rainbows and everyone gets a pony.”
– Sam Marshall dreaming about the future when developers would be happy with how Internet Explorer renders Moodle 2.0 pages

Cleaning user input

Sanitizing data inserted by users is a must. Without proper cleaning, data submitted by users could break database integrity or contain SQL injection (and it is not just about hackers, parents are malicious, too). In Moodle, there are two basic functions that every developer MUST use before processing user input. These are required_param() or optional_param(). They both use clean_param() to make sure that the script does not get unwanted values. Developer declares what type the parameter is – for example PARAM_INT for integers, PARAM_BOOL for booleans, PARAM_FILE for safe file name etc. See the top of lib/moodlelib.php for the comprehensive list of them.
In most of cases, clean_param() just uses regular expressions to get rid of invalid characters. Sometimes it returns the original value without the dangerous parts (as in PARAM_ALPHANUM, for example) and sometimes it returns empty value if the parameter does not fit the conditions (as in PARAM_URL that either returns the original value if it is ok, or nothing).
In some cases, just formal syntax check is not enough. For example PARAM_LANG not only checks that the provided value is safe name of the language pack directory (by checking it against PARAM_SAFEDIR internally) but also checks that the given language is actually installed at the site. The same applies to PARAM_CAPABILITY, PARAM_AUTH or PARAM_THEME. As I realized recently (thanks to one of quite frequent discussions with Petr Škoda), this sort of checks must be implemented with extra care and security risks analysis. If clean_param() calls other core functions, we must know exactly what is happening with the value itself during its clean-up, especially when we rely on 3rd party libraries. The point is that parameters are usually checked before the script calls require_login() so that we do not know much about the current user’s rights yet. Therefore, parameter handling functions are potential doors into Moodle core system for anonymous users. Simple checks based on formal syntax rules are generally safer as they keep the request “ante portas” and additional validation can be done later during the script execution, for example when we already know who the user is, what capabilities she/he has, if the combination of all parameters is valid (like the submission, assessment, course module and the course must match).

Post scriptum

Moodle 2.0 translation portal http://lang.moodle.org is up and running in production mode now, language pack maintainers can start translate Moodle 2.0 now. Thank you all for being patient.

Latest stable version 1.9.9+

There were 5 commits into the stable branch in the last development week (from Tuesday Jun 8 to Monday Jun 14). Martin Dougiamas bumped the version to 1.9.9 and fixed a potential memory overflow problem occurring during the activity import when a teacher is enrolled in many courses (MDL-19880). This fix caused a regression, spotted and patched by Alan Trick and committed by Eloy Lafuente (MDL-22740). Tim Hunt committed patch provided by Vadim Dvorovenko, fixing a typo causing breakage of the questions restore process (MDL-22720). Gordon Bateson committed a patch submitted by Ramon Eixarch, fixing questions import problem in case of Hotpot format JMatch and JMix (MDL-22726).
Security announcements for Moodle 1.9.9 were published yesterday at our MSA page. Moodle 1.9.9 fixes four security problems, two of them are considered critical and one of them major. Registered administrators were notified and encouraged to upgrade their sites before the detailed description of these issues was published, see Moodle security procedures for details.

Future version Moodle 2.0 Preview 3

There were 76 commits into the main development branch during the last week. Repository plugins mahara and remotemoodle were moved from standard distribution into contrib.

Quotes of the week

“Oh dear I’m a geek. New neighbours move into the next flat while their extension’s built. How do I welcome them? Let them connect to my wifi”
– Tim Hunt

“Only people that truly hate PHP can program something with it. The others who love it are not programmers ”
– Petr Škoda

As reported in a community support forum at http://moodle.cz, at least one Czech Moodle site has been hacked, probably because of the recently discovered vulnerability in Snoopy library (announced in MSA-09-0003). Well, the hacked site was running Moodle 1.5 which I consider hazard. But the exploit exists for all currentMoodle versions. Upgrade to the most recent weekly build is warmly recommended.

Strange feeling to realize (again) that a bad guy lives next door in this global village…