tags 682203 +patch thanks Le vendredi, 20 juillet 2012 11.15:32, vous avez écrit : > Package: moodle > Severity: grave > Tags: security > > Please see http://www.openwall.com/lists/oss-security/2012/07/17/1 > for details and links to patches.
Hi, I propose the attached patch and patch series that I am going to upload to DELAYED/3 later tonight. (It would be appreciated if the packaging repository would get the 'upstream', 'dfsg_clean_22' and the various release tags pushed though.) OdyX
diff -Nru moodle-2.2.3.dfsg/debian/changelog moodle-2.2.3.dfsg/debian/changelog
--- moodle-2.2.3.dfsg/debian/changelog 2012-06-21 17:32:33.000000000 +0200
+++ moodle-2.2.3.dfsg/debian/changelog 2012-07-20 13:47:12.000000000 +0200
@@ -1,3 +1,26 @@
+moodle (2.2.3.dfsg-2.1) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+
+ * Backport multiple security issues from upstream's MOODLE_22_STABLE
+ branch (Closes: #682203)
+ - MDL-33808 - format title on the repository instance screen
+ - MDL-33808 - incorrect cleaning of repository names
+ Both patches fix CVE-2012-3393.
+ - MDL-23254 Authentication : used httpswwwroot as root url during
+ authentication procedure where $PAGE->https_required() is
+ specified.
+ Fix CVE-2012-3394
+ - MDL-27675 - Feedback module abuses data_submitted
+ Fix CVE-2012-3395
+ - MDL-34045 fix invalid idnumber field type in cohort form
+ Fix CVE-2012-3396
+ - MDL-33466: Group restriction should hide activity even with 'show
+ availability' option
+ Fix CVE-2012-3397
+
+ -- Didier Raboud <o...@debian.org> Fri, 20 Jul 2012 12:36:16 +0200
+
moodle (2.2.3.dfsg-2) unstable; urgency=low
* Don't depend on ucf during purge (closes: #678027)
diff -Nru moodle-2.2.3.dfsg/debian/patches/0001-MDL-33466-Group-restriction-should-hide-activity-eve.patch moodle-2.2.3.dfsg/debian/patches/0001-MDL-33466-Group-restriction-should-hide-activity-eve.patch
--- moodle-2.2.3.dfsg/debian/patches/0001-MDL-33466-Group-restriction-should-hide-activity-eve.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0001-MDL-33466-Group-restriction-should-hide-activity-eve.patch 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,45 @@
+From f810144610dcb57c7392fb98d578e70a14f26470 Mon Sep 17 00:00:00 2001
+From: sam marshall <s.marsh...@open.ac.uk>
+Date: Sun, 27 May 2012 12:49:10 +0800
+Subject: MDL-33466: Group restriction should hide activity even with 'show
+ availability' option
+
+This is a modified version of fix by Luke Tucker at NetSpot - thanks.
+---
+ lib/modinfolib.php | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/modinfolib.php b/lib/modinfolib.php
+index 20ac75c..8a9e6dd 100644
+--- a/lib/modinfolib.php
++++ b/lib/modinfolib.php
+@@ -994,18 +994,24 @@ class cm_info extends stdClass {
+ $modcontext = get_context_instance(CONTEXT_MODULE, $this->id);
+ $userid = $this->modinfo->get_user_id();
+ $this->uservisible = true;
++ // Check visibility/availability conditions.
+ if ((!$this->visible or !$this->available) and
+ !has_capability('moodle/course:viewhiddenactivities', $modcontext, $userid)) {
+ // If the activity is hidden or unavailable, and you don't have viewhiddenactivities,
+- // set it so that user can't see or access it
++ // set it so that user can't see or access it.
+ $this->uservisible = false;
+- } else if (!empty($CFG->enablegroupmembersonly) and !empty($this->groupmembersonly)
++ }
++ // Check group membership. The grouping option makes the activity
++ // completely invisible as it does not apply to the user at all.
++ if (!empty($CFG->enablegroupmembersonly) and !empty($this->groupmembersonly)
+ and !has_capability('moodle/site:accessallgroups', $modcontext, $userid)) {
+ // If the activity has 'group members only' and you don't have accessallgroups...
+ $groups = $this->modinfo->get_groups($this->groupingid);
+ if (empty($groups)) {
+ // ...and you don't belong to a group, then set it so you can't see/access it
+ $this->uservisible = false;
++ // Ensure activity is completely hidden from user.
++ $this->showavailability = 0;
+ }
+ }
+ }
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0002-MDL-34045-fix-invalid-idnumber-field-type-in-cohort-.patch moodle-2.2.3.dfsg/debian/patches/0002-MDL-34045-fix-invalid-idnumber-field-type-in-cohort-.patch
--- moodle-2.2.3.dfsg/debian/patches/0002-MDL-34045-fix-invalid-idnumber-field-type-in-cohort-.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0002-MDL-34045-fix-invalid-idnumber-field-type-in-cohort-.patch 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,25 @@
+From b0d2db5452a7210d2067d4b40b36d2bfad5a84c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0koda?= <comm...@skodak.org>
+Date: Sat, 30 Jun 2012 07:50:38 +0200
+Subject: MDL-34045 fix invalid idnumber field type in cohort form
+
+---
+ cohort/edit_form.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cohort/edit_form.php b/cohort/edit_form.php
+index 249212c..d449980 100644
+--- a/cohort/edit_form.php
++++ b/cohort/edit_form.php
+@@ -49,7 +49,7 @@ class cohort_edit_form extends moodleform {
+ $mform->addElement('select', 'contextid', get_string('context', 'role'), $options);
+
+ $mform->addElement('text', 'idnumber', get_string('idnumber', 'cohort'), 'maxlength="254" size="50"');
+- $mform->setType('name', PARAM_RAW); // idnumbers are plain text, must not be changed
++ $mform->setType('idnumber', PARAM_RAW); // idnumbers are plain text, must not be changed
+
+ $mform->addElement('editor', 'description_editor', get_string('description', 'cohort'), null, $editoroptions);
+ $mform->setType('description_editor', PARAM_RAW);
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0003-MDL-27675-Feedback-module-abuses-data_submitted.patch moodle-2.2.3.dfsg/debian/patches/0003-MDL-27675-Feedback-module-abuses-data_submitted.patch
--- moodle-2.2.3.dfsg/debian/patches/0003-MDL-27675-Feedback-module-abuses-data_submitted.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0003-MDL-27675-Feedback-module-abuses-data_submitted.patch 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,335 @@
+From 80eb0055aed8cefebeddfea88daa19d5fec69715 Mon Sep 17 00:00:00 2001
+From: Andreas Grabs <moo...@grabs-edv.de>
+Date: Wed, 6 Jun 2012 23:16:54 +0200
+Subject: MDL-27675 - Feedback module abuses data_submitted
+
+---
+ mod/feedback/complete.php | 8 +++-----
+ mod/feedback/complete_guest.php | 12 +++++-------
+ mod/feedback/item/captcha/lib.php | 8 ++++++++
+ mod/feedback/item/feedback_item_class.php | 19 +++++++++++++------
+ mod/feedback/item/info/lib.php | 8 ++++++++
+ mod/feedback/item/label/lib.php | 8 ++++++++
+ mod/feedback/item/multichoice/lib.php | 4 ++++
+ mod/feedback/item/multichoicerated/lib.php | 7 +++++++
+ mod/feedback/item/numeric/lib.php | 13 ++++++++++++-
+ mod/feedback/item/textarea/lib.php | 12 ++++++++++--
+ mod/feedback/item/textfield/lib.php | 12 ++++++++++--
+ mod/feedback/lib.php | 11 +++++++++++
+ 12 files changed, 99 insertions(+), 23 deletions(-)
+
+diff --git a/mod/feedback/complete.php b/mod/feedback/complete.php
+index 1ccf71e..aebb1ed 100644
+--- a/mod/feedback/complete.php
++++ b/mod/feedback/complete.php
+@@ -507,11 +507,8 @@ if ($feedback_can_submit) {
+ //get the value
+ $frmvaluename = $feedbackitem->typ . '_'. $feedbackitem->id;
+ if (isset($savereturn)) {
+- if (isset($formdata->{$frmvaluename})) {
+- $value = $formdata->{$frmvaluename};
+- } else {
+- $value = null;
+- }
++ $value = isset($formdata->{$frmvaluename}) ? $formdata->{$frmvaluename} : null;
++ $value = feedback_clean_input_value($feedbackitem, $value);
+ } else {
+ if (isset($feedbackcompletedtmp->id)) {
+ $value = feedback_get_item_value($feedbackcompletedtmp->id,
+@@ -530,6 +527,7 @@ if ($feedback_can_submit) {
+ feedback_print_item_complete($feedbackitem, $value, $highlightrequired);
+ echo $OUTPUT->box_end();
+ }
++
+ echo $OUTPUT->box_end();
+
+ $lastbreakposition = $feedbackitem->position; //last item-pos (item or pagebreak)
+diff --git a/mod/feedback/complete_guest.php b/mod/feedback/complete_guest.php
+index 25747a9..b472c09 100644
+--- a/mod/feedback/complete_guest.php
++++ b/mod/feedback/complete_guest.php
+@@ -72,7 +72,7 @@ if (isset($formdata->sesskey) AND
+ !isset($formdata->gonextpage) AND
+ !isset($formdata->gopreviouspage)) {
+
+- $gopage = $formdata->lastpage;
++ $gopage = (int) $formdata->lastpage;
+ }
+ if (isset($formdata->savevalues)) {
+ $savevalues = true;
+@@ -441,13 +441,10 @@ if ($feedback_can_submit) {
+ echo $OUTPUT->box_start('feedback_item_box_'.$align.$dependstyle);
+ $value = '';
+ //get the value
+- $frmvaluename = $feedbackitem->typ.'_'.$feedbackitem->id;
++ $frmvaluename = $feedbackitem->typ . '_'. $feedbackitem->id;
+ if (isset($savereturn)) {
+- if (isset($formdata->{$frmvaluename})) {
+- $value = $formdata->{$frmvaluename};
+- } else {
+- $value = null;
+- }
++ $value = isset($formdata->{$frmvaluename}) ? $formdata->{$frmvaluename} : null;
++ $value = feedback_clean_input_value($feedbackitem, $value);
+ } else {
+ if (isset($feedbackcompletedtmp->id)) {
+ $value = feedback_get_item_value($feedbackcompletedtmp->id,
+@@ -466,6 +463,7 @@ if ($feedback_can_submit) {
+ feedback_print_item_complete($feedbackitem, $value, $highlightrequired);
+ echo $OUTPUT->box_end();
+ }
++
+ echo $OUTPUT->box_end();
+
+ $lastbreakposition = $feedbackitem->position; //last item-pos (item or pagebreak)
+diff --git a/mod/feedback/item/captcha/lib.php b/mod/feedback/item/captcha/lib.php
+index 126d51e..190b136 100644
+--- a/mod/feedback/item/captcha/lib.php
++++ b/mod/feedback/item/captcha/lib.php
+@@ -326,4 +326,12 @@ class feedback_item_captcha extends feedback_item_base {
+ public function can_switch_require() {
+ return false;
+ }
++
++ public function value_type() {
++ return PARAM_RAW;
++ }
++
++ function clean_input_value($value) {
++ return clean_param($value, $this->value_type());
++ }
+ }
+diff --git a/mod/feedback/item/feedback_item_class.php b/mod/feedback/item/feedback_item_class.php
+index 981aefd..f325ed7 100644
+--- a/mod/feedback/item/feedback_item_class.php
++++ b/mod/feedback/item/feedback_item_class.php
+@@ -41,14 +41,11 @@ abstract class feedback_item_base {
+ return false;
+ }
+
+- public function value_type() {
+- return PARAM_RAW;
+- }
+-
+ public function value_is_array() {
+ return false;
+ }
+
++ abstract public function value_type();
+ abstract public function init();
+ abstract public function build_editform($item, $feedback, $cm);
+ abstract public function save_item();
+@@ -128,6 +125,14 @@ abstract class feedback_item_base {
+ */
+ abstract public function print_item_show_value($item, $value = '');
+
++ /**
++ * cleans the userinput while submitting the form
++ *
++ * @param mixed $value
++ * @return mixed
++ */
++ abstract function clean_input_value($value);
++
+ }
+
+ //a dummy class to realize pagebreaks
+@@ -175,7 +180,9 @@ class feedback_item_pagebreak extends feedback_item_base {
+ }
+ public function can_switch_require() {
+ }
++ public function value_type() {
++ }
++ public function clean_input_value($value) {
++ }
+
+ }
+-
+-
+diff --git a/mod/feedback/item/info/lib.php b/mod/feedback/item/info/lib.php
+index 870c328..b84a377 100644
+--- a/mod/feedback/item/info/lib.php
++++ b/mod/feedback/item/info/lib.php
+@@ -388,4 +388,12 @@ class feedback_item_info extends feedback_item_base {
+ public function can_switch_require() {
+ return false;
+ }
++
++ public function value_type() {
++ return PARAM_INT;
++ }
++
++ function clean_input_value($value) {
++ return clean_param($value, $this->value_type());
++ }
+ }
+diff --git a/mod/feedback/item/label/lib.php b/mod/feedback/item/label/lib.php
+index 25c62a9..c643b31 100644
+--- a/mod/feedback/item/label/lib.php
++++ b/mod/feedback/item/label/lib.php
+@@ -270,4 +270,12 @@ class feedback_item_label extends feedback_item_base {
+ }
+ public function get_analysed($item, $groupid = false, $courseid = false) {
+ }
++
++ public function value_type() {
++ return PARAM_BOOL;
++ }
++
++ public function clean_input_value($value) {
++ return '';
++ }
+ }
+diff --git a/mod/feedback/item/multichoice/lib.php b/mod/feedback/item/multichoice/lib.php
+index 4c836e0..59d17d7 100644
+--- a/mod/feedback/item/multichoice/lib.php
++++ b/mod/feedback/item/multichoice/lib.php
+@@ -826,4 +826,8 @@ class feedback_item_multichoice extends feedback_item_base {
+ public function value_is_array() {
+ return true;
+ }
++
++ public function clean_input_value($value) {
++ return clean_param_array($value, $this->value_type());
++ }
+ }
+diff --git a/mod/feedback/item/multichoicerated/lib.php b/mod/feedback/item/multichoicerated/lib.php
+index 050f7eb..65b5f6f 100644
+--- a/mod/feedback/item/multichoicerated/lib.php
++++ b/mod/feedback/item/multichoicerated/lib.php
+@@ -678,4 +678,11 @@ class feedback_item_multichoicerated extends feedback_item_base {
+ return true;
+ }
+
++ public function value_type() {
++ return PARAM_INT;
++ }
++
++ function clean_input_value($value) {
++ return clean_param($value, $this->value_type());
++ }
+ }
+diff --git a/mod/feedback/item/numeric/lib.php b/mod/feedback/item/numeric/lib.php
+index ae19cf9..b7b2067 100644
+--- a/mod/feedback/item/numeric/lib.php
++++ b/mod/feedback/item/numeric/lib.php
+@@ -364,7 +364,7 @@ class feedback_item_numeric extends feedback_item_base {
+ 'name="'.$item->typ.'_'.$item->id.'" '.
+ 'size="10" '.
+ 'maxlength="10" '.
+- 'value="'.($value ? $value : '').'" />';
++ 'value="'.$value.'" />';
+
+ echo '</span>';
+ echo '</div>';
+@@ -534,4 +534,15 @@ class feedback_item_numeric extends feedback_item_base {
+ public function can_switch_require() {
+ return true;
+ }
++
++ public function value_type() {
++ return PARAM_FLOAT;
++ }
++
++ function clean_input_value($value) {
++ if (!is_numeric($value)) {
++ return null;
++ }
++ return clean_param($value, $this->value_type());
++ }
+ }
+diff --git a/mod/feedback/item/textarea/lib.php b/mod/feedback/item/textarea/lib.php
+index e6aaec5..e3c166b 100644
+--- a/mod/feedback/item/textarea/lib.php
++++ b/mod/feedback/item/textarea/lib.php
+@@ -262,7 +262,7 @@ class feedback_item_textarea extends feedback_item_base {
+ echo '<textarea name="'.$item->typ.'_'.$item->id.'" '.
+ 'cols="'.$presentation[0].'" '.
+ 'rows="'.$presentation[1].'">';
+- echo ($value ? htmlspecialchars($value) : '');
++ echo $value;
+ echo '</textarea>';
+ echo '</span>';
+ echo '</div>';
+@@ -308,7 +308,7 @@ class feedback_item_textarea extends feedback_item_base {
+ }
+
+ public function create_value($data) {
+- $data = clean_text($data);
++ $data = s($data);
+ return $data;
+ }
+
+@@ -333,4 +333,12 @@ class feedback_item_textarea extends feedback_item_base {
+ public function can_switch_require() {
+ return true;
+ }
++
++ public function value_type() {
++ return PARAM_RAW;
++ }
++
++ function clean_input_value($value) {
++ return s($value);
++ }
+ }
+diff --git a/mod/feedback/item/textfield/lib.php b/mod/feedback/item/textfield/lib.php
+index 083069e..4c07a5f 100644
+--- a/mod/feedback/item/textfield/lib.php
++++ b/mod/feedback/item/textfield/lib.php
+@@ -252,7 +252,7 @@ class feedback_item_textfield extends feedback_item_base {
+ 'name="'.$item->typ.'_'.$item->id.'" '.
+ 'size="'.$presentation[0].'" '.
+ 'maxlength="'.$presentation[1].'" '.
+- 'value="'.($value ? htmlspecialchars($value) : '').'" />';
++ 'value="'.$value.'" />';
+ echo '</span>';
+ echo '</div>';
+ }
+@@ -295,7 +295,7 @@ class feedback_item_textfield extends feedback_item_base {
+ }
+
+ public function create_value($data) {
+- $data = clean_text($data);
++ $data = s($data);
+ return $data;
+ }
+
+@@ -320,4 +320,12 @@ class feedback_item_textfield extends feedback_item_base {
+ public function can_switch_require() {
+ return true;
+ }
++
++ public function value_type() {
++ return PARAM_RAW;
++ }
++
++ function clean_input_value($value) {
++ return s($value);
++ }
+ }
+diff --git a/mod/feedback/lib.php b/mod/feedback/lib.php
+index 19e6425..072d7d2 100644
+--- a/mod/feedback/lib.php
++++ b/mod/feedback/lib.php
+@@ -2064,6 +2064,17 @@ function feedback_get_page_to_continue($feedbackid, $courseid = false, $guestid
+ //functions to handle the values
+ ////////////////////////////////////////////////
+
++/**
++ * cleans the userinput while submitting the form.
++ *
++ * @param mixed $value
++ * @return mixed
++ */
++function feedback_clean_input_value($item, $value) {
++ $itemobj = feedback_get_item_class($item->typ);
++ return $itemobj->clean_input_value($value);
++}
++
+ /**
+ * this saves the values of an completed.
+ * if the param $tmp is set true so the values are saved temporary in table feedback_valuetmp.
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch moodle-2.2.3.dfsg/debian/patches/0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch
--- moodle-2.2.3.dfsg/debian/patches/0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,72 @@
+From acaa47c303d8d068629e23d139bc4f209c911eea Mon Sep 17 00:00:00 2001
+From: Aparup Banerjee <apa...@moodle.com>
+Date: Thu, 28 Jun 2012 15:32:33 +0800
+Subject: MDL-23254 Authentication : used httpswwwroot as root url during
+ authentication procedure where $PAGE->https_required() is
+ specified.
+
+---
+ auth/ldap/ntlmsso_attempt.php | 5 +++--
+ auth/ldap/ntlmsso_magic.php | 3 ++-
+ auth/shibboleth/login.php | 8 ++++----
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/auth/ldap/ntlmsso_attempt.php b/auth/ldap/ntlmsso_attempt.php
+index 8624b38..69bbd42 100644
+--- a/auth/ldap/ntlmsso_attempt.php
++++ b/auth/ldap/ntlmsso_attempt.php
+@@ -33,8 +33,9 @@ $PAGE->set_title("$site->fullname: $loginsite");
+ $PAGE->set_heading($site->fullname);
+ echo $OUTPUT->header();
+
++// $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
+ $msg = '<p>'.get_string('ntlmsso_attempting', 'auth_ldap').'</p>'
+ . '<img width="1", height="1" '
+- . ' src="' . $CFG->wwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
++ . ' src="' . $CFG->httpswwwroot . '/auth/ldap/ntlmsso_magic.php?sesskey='
+ . $sesskey . '" />';
+-redirect($CFG->wwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
++redirect($CFG->httpswwwroot . '/auth/ldap/ntlmsso_finish.php', $msg, 3);
+diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php
+index 9c74f87..f7cd208 100644
+--- a/auth/ldap/ntlmsso_magic.php
++++ b/auth/ldap/ntlmsso_magic.php
+@@ -29,7 +29,8 @@ $file = $CFG->dirroot.'/pix/spacer.gif';
+ if ($authplugin->ntlmsso_magic($sesskey) && file_exists($file)) {
+ if (!empty($authplugin->config->ntlmsso_ie_fastpath)) {
+ if (check_browser_version('MSIE')) {
+- redirect($CFG->wwwroot.'/auth/ldap/ntlmsso_finish.php');
++ // $PAGE->https_required() up above takes care of what $CFG->httpswwwroot should be.
++ redirect($CFG->httpswwwroot.'/auth/ldap/ntlmsso_finish.php');
+ }
+ }
+
+diff --git a/auth/shibboleth/login.php b/auth/shibboleth/login.php
+index 0b635ac..ee3372f 100644
+--- a/auth/shibboleth/login.php
++++ b/auth/shibboleth/login.php
+@@ -44,17 +44,17 @@ $PAGE->https_required();
+ // Redirect to SessionInitiator with entityID as argument
+ if (isset($IdPs[$selectedIdP][1]) && !empty($IdPs[$selectedIdP][1])) {
+ // For Shibbolet 1.x Service Providers
+- header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
++ header('Location: '.$IdPs[$selectedIdP][1].'?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
+
+ // For Shibbolet 2.x Service Providers
+- // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
++ // header('Location: '.$IdPs[$selectedIdP][1].'?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
+
+ } else {
+ // For Shibbolet 1.x Service Providers
+- header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
++ header('Location: /Shibboleth.sso?providerId='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
+
+ // For Shibboleth 2.x Service Providers
+- // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->wwwroot.'/auth/shibboleth/index.php'));
++ // header('Location: /Shibboleth.sso/DS?entityID='. urlencode($selectedIdP) .'&target='. urlencode($CFG->httpswwwroot.'/auth/shibboleth/index.php'));
+ }
+ } elseif (isset($_POST['idp']) && !isset($IdPs[$_POST['idp']])) {
+ $errormsg = get_string('auth_shibboleth_errormsg', 'auth_shibboleth');
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0005-MDL-33808-incorrect-cleaning-of-repository-names.patch moodle-2.2.3.dfsg/debian/patches/0005-MDL-33808-incorrect-cleaning-of-repository-names.patch
--- moodle-2.2.3.dfsg/debian/patches/0005-MDL-33808-incorrect-cleaning-of-repository-names.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0005-MDL-33808-incorrect-cleaning-of-repository-names.patch 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,41 @@
+From f0a7254635f6be0fda60df372a4a174d8eac13f2 Mon Sep 17 00:00:00 2001
+From: Dan Poltawski <d...@moodle.com>
+Date: Tue, 19 Jun 2012 11:20:21 +0800
+Subject: MDL-33808 - incorrect cleaning of repository names
+
+---
+ repository/lib.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/repository/lib.php b/repository/lib.php
+index eae6072..3c10b43 100644
+--- a/repository/lib.php
++++ b/repository/lib.php
+@@ -1450,7 +1450,7 @@ abstract class repository {
+ $ft = new filetype_parser;
+ $meta = new stdClass();
+ $meta->id = $this->id;
+- $meta->name = $this->get_name();
++ $meta->name = format_string($this->get_name());
+ $meta->type = $this->options['type'];
+ $meta->icon = $OUTPUT->pix_url('icon', 'repository_'.$meta->type)->out(false);
+ $meta->supported_types = $ft->get_extensions($this->supported_filetypes());
+@@ -1762,6 +1762,7 @@ abstract class repository {
+ // it can be empty, then moodle will look for instance name from language string
+ $mform->addElement('text', 'pluginname', get_string('pluginname', 'repository'), array('size' => '40'));
+ $mform->addElement('static', 'pluginnamehelp', '', get_string('pluginnamehelp', 'repository'));
++ $mform->setType('pluginname', PARAM_TEXT);
+ }
+ }
+
+@@ -1904,6 +1905,7 @@ final class repository_instance_form extends moodleform {
+
+ $mform->addElement('text', 'name', get_string('name'), 'maxlength="100" size="30"');
+ $mform->addRule('name', $strrequired, 'required', null, 'client');
++ $mform->setType('name', PARAM_TEXT);
+ }
+
+ public function definition() {
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/0006-MDL-33808-format-title-on-the-repository-instance-sc.patch moodle-2.2.3.dfsg/debian/patches/0006-MDL-33808-format-title-on-the-repository-instance-sc.patch
--- moodle-2.2.3.dfsg/debian/patches/0006-MDL-33808-format-title-on-the-repository-instance-sc.patch 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/0006-MDL-33808-format-title-on-the-repository-instance-sc.patch 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,25 @@
+From 0d05091c189c861f809fda3974f22d329c5cff00 Mon Sep 17 00:00:00 2001
+From: Dan Poltawski <d...@moodle.com>
+Date: Tue, 19 Jun 2012 12:07:46 +0800
+Subject: MDL-33808 - format title on the repository instance screen
+
+---
+ repository/lib.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/repository/lib.php b/repository/lib.php
+index 3c10b43..d900a78 100644
+--- a/repository/lib.php
++++ b/repository/lib.php
+@@ -1253,7 +1253,7 @@ abstract class repository {
+ }
+
+ $type = repository::get_type_by_id($i->options['typeid']);
+- $table->data[] = array($i->name, $type->get_readablename(), $settings, $delete);
++ $table->data[] = array(format_string($i->name), $type->get_readablename(), $settings, $delete);
+
+ //display a grey row if the type is defined as not visible
+ if (isset($type) && !$type->get_visible()) {
+--
+1.7.10.4
+
diff -Nru moodle-2.2.3.dfsg/debian/patches/series moodle-2.2.3.dfsg/debian/patches/series
--- moodle-2.2.3.dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ moodle-2.2.3.dfsg/debian/patches/series 2012-07-20 12:35:27.000000000 +0200
@@ -0,0 +1,6 @@
+0001-MDL-33466-Group-restriction-should-hide-activity-eve.patch
+0002-MDL-34045-fix-invalid-idnumber-field-type-in-cohort-.patch
+0003-MDL-27675-Feedback-module-abuses-data_submitted.patch
+0004-MDL-23254-Authentication-used-httpswwwroot-as-root-u.patch
+0005-MDL-33808-incorrect-cleaning-of-repository-names.patch
+0006-MDL-33808-format-title-on-the-repository-instance-sc.patch
moodle-2.2.3.dfsg-2.1_debian_patches.tar.xz
Description: application/xz-compressed-tar
signature.asc
Description: This is a digitally signed message part.
