Project

General

Profile

Bug #6830

Great bug on table c_quiz_answer

Added by Miguel José Amez Riendas over 7 years ago. Updated over 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Exercises
Target version:
Start date:
20/11/2013
Due date:
% Done:

90%

Estimated time:
0.50 h
Complexity:
Piece of cake
SCRUM pts - complexity:
1

Description

As the field "answer" on table "c_quiz_answer" is defined as TEXT, and any user (from the wysiwyg editor) can copy and paste images to a test, and those images are inserted inside de html code of that answer as BASE64 encoded image, if you upload a big image, the code will result on a XSS security hole!

One of our teachers has experienced this problem and this makes the test VEEERY inestable.

This could be simply fixed changing the table field to LONGTEXT instead of just TEXT. This was tested by me and fully functional now!

A collateral damage of this fix could be database fragmentation, so a less-simpler fix could be modifying the posted base64 images and decode them from HTML code in BASE64 to the original image and store those images in a specific folder. This way, database would be un-fragmented.

This is the mysql code for this table on database:

CREATE or replace table `c_quiz_answer` (
`c_id` int(11) NOT NULL,
`id` int(10) unsigned NOT NULL,
`id_auto` int(11) NOT NULL AUTO_INCREMENT,
`question_id` int(10) unsigned NOT NULL,
`answer` longtext NOT NULL,
`correct` mediumint(8) unsigned DEFAULT NULL,
`comment` text,
`ponderation` float(6,2) NOT NULL DEFAULT '0.00',
`position` mediumint(8) unsigned NOT NULL DEFAULT '1',
`hotspot_coordinates` text,
`hotspot_type` enum('square','circle','poly','delineation','oar') DEFAULT NULL,
`destination` text NOT NULL,
`answer_code` char(10) DEFAULT '',
PRIMARY KEY (`c_id`,`id_auto`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

To update just the database for this change, you should run this code on mysql with chamilo already installed:

alter table c_quiz_answer modify column answer longtext NOT NULL;

You should keep in mind that the installation script should be changed, in order to allow this issue to be propagated to the upcomming installations from other people.

History

#1

Updated by Julio Montoya over 7 years ago

  • Assignee deleted (Julio Montoya)
  • Priority changed from Immediate to Normal
  • Target version changed from 1.9.8 to 2.0

Hello Miguel,

That change is fine for me it will be included in Chamilo 1.10 (database changes are not allowed for chamilo 1.9.x)

I'm also descending the priority because Chamilo could work fine using the images with the fckeditor tool.

PS: Please don't assign to any specific developer.

#2

Updated by Miguel José Amez Riendas over 7 years ago

Hi Julio,

Sorry for assigning. I didn't know it. Roger that!

I'm testing this issue a little bit more and it is giving some problems on updates, maybe due to uploading issues with big ammount of information.
I'll keep you posted!

#3

Updated by Miguel José Amez Riendas over 7 years ago

False alarm!

I've been checking code and the problem is on the answer.class.php class on the updates.
I didn't have the last changes from master on testing server and updates were failing! Fixed it and now it works!

Consider this as closed when you finish testing.

Also available in: Atom PDF