MDL-9123:

No check was made of the validity of the category id read from the form.
So it could theoretically have been spoofed.

diff --git a/question/export.php b/question/export.php
index f81d2952473f7ca2d5c5aa66ab58fda2a5c608b7..fe8401032a9358110ac0cd9c6651bf93b5056fa7 100644 (file)
--- a/question/export.php
+++ b/question/export.php
@@ -64,6 +64,14 @@
     // ensure the files area exists for this course
     make_upload_directory( "$course->id" );
 
+    // check category is valid
+    if (!empty($categoryid)) {
+        $validcats = question_category_options( $course->id, true, false );
+        if (!array_key_exists( $categoryid, $validcats)) {
+            print_error( "Category id ($categoryid) is not permitted." );
+        }
+    }
+
     /// Header
     if (isset($SESSION->modform->instance) and $quiz = get_record('quiz', 'id', $SESSION->modform->instance)) {
         $strupdatemodule = has_capability('moodle/course:manageactivities', $context)