MDL-18552 TeX filter - blacklist unsecure commands + protect texdebug ; merged from...

diff --git a/filter/tex/filter.php b/filter/tex/filter.php
index 01ee633d77edba4992e34722067f56730b0cc591..646d8109d626a31f7dd3c669ff5c5abbf26b2eed 100644 (file)
--- a/filter/tex/filter.php
+++ b/filter/tex/filter.php
@@ -137,6 +137,16 @@ class tex_filter extends filter_base {
             $text = str_replace($matches[0][$i],$replacement,$text);
         }
 
+        // TeX blacklist. MDL-18552
+        $tex_blacklist = array(
+            'include','def','command','loop','repeat','open','toks','output',
+            'input','catcode','name','^^',
+            '\every','\errhelp','\errorstopmode','\scrollmode','\nonstopmode',
+            '\batchmode','\read','\write','csname','\newhelp','\uppercase',
+            '\lowercase','\relax','\aftergroup',
+            '\afterassignment','\expandafter','\noexpand','\special'
+        );
+
         // <tex> TeX expression </tex>
         // or <tex alt="My alternative text to be used instead of the TeX form"> TeX expression </tex>
         // or $$ TeX expression $$
@@ -159,6 +169,19 @@ class tex_filter extends filter_base {
               $align = "text-top";
               $texexp = preg_replace('/^align=top /','',$texexp);
             }
+        /// Check $texexp against blacklist (whitelisting could be more complete but also harder to maintain). MDL-18552
+            $invalidcommands = array();
+            foreach($tex_blacklist as $command) {
+                if (stristr($texexp, $command)) { /// Found invalid command. Annotate.
+                    $invalidcommands[] = $command;
+                }
+            }
+            if (!empty($invalidcommands)) { /// Invalid commands found. Output error and continue with next TeX element
+                $invalidstr = get_string('invalidtexcommand', 'error', implode(', ', $invalidcommands));
+                $text = str_replace( $matches[0][$i], $invalidstr, $text);
+                continue;
+            }
+        /// Everything is ok, let's process the expression
             $md5 = md5($texexp);
             if (! $texcache = $DB->get_record("cache_filters", array("filter"=>"tex", "md5key"=>$md5))) {
                 $texcache->filter = 'tex';

diff --git a/filter/tex/texdebug.php b/filter/tex/texdebug.php
index bbeb81f134ed6e10588869a239fd8ffb79ad2b46..917239c681a8a3c5bff69a9b562b2182843ef8ec 100644 (file)
--- a/filter/tex/texdebug.php
+++ b/filter/tex/texdebug.php
@@ -3,8 +3,6 @@
       // If not, it obtains the corresponding TeX expression from the cache_tex db table
       // and uses mimeTeX to create the image file
 
-    define('NO_MOODLE_COOKIES', true); // Because it interferes with caching
-
     require_once("../../config.php");
 
     if (empty($CFG->textfilters)) {
@@ -23,6 +21,9 @@
     $action = optional_param('action', '', PARAM_ALPHA);
     $texexp = optional_param('tex', '', PARAM_RAW);
 
+    require_login();
+    require_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM), $USER->id); /// Required cap to run this. MDL-18552
+
     $query = urldecode($_SERVER['QUERY_STRING']);
     error_reporting(E_ALL);
     $output = '';