[Xerte-dev] Re: problem with trunk and added slashes?
Ron Mitchell
ronm at mitchellmedia.co.uk
Fri Aug 30 13:01:36 BST 2013
Hi all
I can't say this for sure but my hunch is this is only a conflict with the call to stripslashes or the check for magic quotes. There wasn't a problem previously with Moodle integration and without the re-ordering of that code e.g. the check for magic_quotes and call to stripslashes the problem happens and the problem happens regardless of the authentication method chosen if a valid path to moodle config is set as integration_path. e.g. whatever is set in integration path is included regardless of the authentication method set in auth_config.php.
Chaning the order of that code to before the includes certainly seems to resolve the issue but I haven't had time to check for any other consequences. As John says I'm not sure there would be any but it would be good to confirm that 100%.
HTH
Ron
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 30 August 2013 12:42
To: xerte-dev at lists.nottingham.ac.uk
Subject: [Xerte-dev] Re: problem with trunk and added slashes?
Hi Pat
If moodle integration is on and any page includes config.php and subsequently the moodle config page (for dealing with the cookies) then it seems that moodle potentially plays around with the GET and POST data, especially regarding its own implementation of magic quote behaviour...
Regards
John Smith
Learning Technologist
School of Health and Life Sciences
Sent from Samsung Galaxy SII
"Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:
The original moodle auth was single sign on - where are we using data that's been through moodle?
Not really followed this thread, been swamped
On 30 Aug 2013, at 12:12, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:
> Thanks Ron,
>
> I think that confirms that Moodle is somehow messing around with the POST data (although the comment says it should only be the GET data being affected).
>
> I doubt moving the code before the config includes will break anything else, however it is possible I suppose that we have other code that is working around other things that Moodle changes. Pat/Tom do you know of anything else that was necessary when Moodle integration was created?
>
> I will move the code section once Github is up and running and then perhaps we can test it with some LOs containing slashes etc to see if it works as expected.
>
> Regards,
>
> John Smith | Learning Technologist
> Room A251, Govan Mbeki Building | School of Health & Life Sciences |
> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA
> ________________________________________
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
> [ronm at mitchellmedia.co.uk]
> Sent: 27 August 2013 16:01
> To: 'For Xerte technical developers'
> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>
> Hi John/Tom
> sorry that I haven't had time or opportunity to test this until now but I've just done so as John suggested and at least on the Techdis server changing /modules/xerte/engine/save.php so that it's now as follows:
>
> $unescaped_data = $_POST['filedata'];
> if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
> {
> $unescaped_data = stripslashes($_POST['filedata']); }
>
> require_once("../../../config.php");
> require_once("../../../plugins.php");
>
> means that it works ok with Moodle authentication and a Moodle integration path included which it hasn't done since the addition of that previous change. Has this cropped up much elsewhere on the forums? I'm surprised it hasn't!
>
> I have no idea if that change of order would affect anything else?
>
> Cheers
> Ron
>
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron
> Mitchell
> Sent: 26 August 2013 13:50
> To: For Xerte technical developers
> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>
> Hi John
> Sorry out for the day until late evening so unlikely to be able to test further until tomorrow.
> Cheers
> Ron
>
> Sent from my iPhone
>
> On 26 Aug 2013, at 06:42, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote:
>
>> Thanks Ron,
>>
>> That is a big help, at least now we know where to look... and I think I've found the problem...
>>
>> Tom, I have found this function in \lib\typo3\class.t3lib_div.php in
>> moodle code (note the comment about get_magic_quotes_gpc())
>>
>> function GPvar($var,$strip=0) {
>> if(empty($var)) return;
>> $value = isset($_POST[$var]) ? $_POST[$var] : $_GET[$var];
>> if (isset($value) && is_string($value)) { $value = stripslashes($value); } // Originally check '&& get_magic_quotes_gpc() ' but the values of $_GET are always slashed regardless of get_magic_quotes_gpc() because HTTP_POST/GET_VARS are run through addSlashesOnArray in the very beginning of index_ts.php eg.
>> if ($strip && isset($value) && is_array($value)) { t3lib_div::stripSlashesOnArray($value); }
>> return $value;
>> }
>>
>> So if Moodle ALWAYS adds slashes, is it a simple method of also checking whether moodle integration is set? But even if it is, unless it is set to the correct path, it will possibly have stripslashes used incorrectly. The recent change relies on the use of get_magic_quotes_gpc() as a condition to strip the slashes but Moodle ignores this very setting and adds them anyway.
>>
>> My thoughts are, can we just move this code (and access to any other $_GET/$_POST data) to the VERY TOP of save.php, BEFORE the inclusion of config, so before Moodle has a chance to play with the data?
>>
>>
>> $unescaped_data = $_POST['filedata']; if
>> (function_exists(get_magic_quotes_gpc) && get_magic_quotes_gpc()) {
>> $unescaped_data = stripslashes($_POST['filedata']); }
>>
>> Can anyone give that a try with their test setups? I'm not setup to test just now and will be busy at least until the afternoon but can test then if no-one else can... Only possible issue I see is - if moodle adds them anyway and they are then also being added by the server could they be there twice in situations where get_magic_quotes_gpc() is on??
>>
>> Regards,
>>
>> John Smith | Learning Technologist
>> Room A251, Govan Mbeki Building | School of Health & Life Sciences |
>> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA
>> ________________________________________
>> From: xerte-dev-bounces at lists.nottingham.ac.uk
>> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
>> [ronm at mitchellmedia.co.uk]
>> Sent: 26 August 2013 00:29
>> To: 'For Xerte technical developers'
>> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>>
>> Hi John
>> shutting down now but quickly tested this and with integration path pointing to functions.php instead of a moodle file all is fine. It must be a conflict with Moodle code but it obviously wasn't a problem previously and on the server I'm testing with Moodle code hasn't changed only xot code.
>> Cheers
>> Ron
>>
>> -----Original Message-----
>> From: xerte-dev-bounces at lists.nottingham.ac.uk
>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith,
>> John
>> Sent: 25 August 2013 23:21
>> To: xerte-dev at lists.nottingham.ac.uk
>> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>>
>> Hi Ron
>>
>> What would be interesting to know is whether setting a non-moodle integration path causes a problem or whether Moodle changes it...
>>
>> Can you try setting the integration path to point to /functions.php
>>
>> This is already included in config with a require once so should have absolutely no effect.
>>
>> If all is well then the problem is in the moodle file and we need some way of mitigating the effects. If not then there must be some xerte code causing it.
>>
>> Regards
>>
>> John Smith
>> Learning Technologist
>> School of Health and Life Sciences
>>
>> Sent from Samsung Galaxy SII
>>
>>
>>
>> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:
>>
>>
>> Hi Tom
>> yes I thought the same - turning magic_quotes on isn't really the answer and for instance on the Techdis server magic_quotes has always been off and this hasn't been a problem until whatever the code change was when this started. I've actually been testing a bit after Gayan's recent message and with the latest unstable download from xerte.org.uk the following applies:
>>
>> Same server, same code with guest auth enabled and crucially no moodle itegration path set all is fine.
>>
>> Same server, same code even with guest auth rather than moodle auth set the problem happens if a moodle integration path is set.
>>
>> Could there be a duplicate function name or variable name causing this? Or is there a way of checking if an integration path is set and if so skipping the relevant code?
>>
>> HTH
>> Ron
>>
>> From: xerte-dev-bounces at lists.nottingham.ac.uk
>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom
>> Reijnders
>> Sent: 25 August 2013 20:37
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>>
>> Ron,
>>
>> Gayan's problem is now solved, but not really the solution I wanted. magic_quotes is obsolete, so I want to find where the slashes came from in the first place.
>>
>> Tom
>> Op 22-8-2013 11:23, Ron Mitchell schreef:
>> Hi Tom
>> prompted by the latest message on the Xerte list from RGN Meegama (Gayan) attached I did a quick search for our previous discussion about strip slashes below. I haven't had time to investigate this but I wonder if the message from Gayan indicates why this hasn't been a problem for everyone e.g. only materialises when Moodle integration is used and even then perhaps only with a particular stripslashes setting? I've avoided upgrading any installations until I can find time to investigate and test this properly and I still don't have time to investigate now but I wonder if this helps to point you to the cause/solution? I know this is going to raise the old issue about compatibility with 3rd party applications but as I'm sure you also appreciate the fact remains in my experience next to ldap, Moodle is the next most popular solution for xot account management.
>> Cheers
>> Ron
>>
>> From:
>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis
>> t s.nottingham.ac.uk>
>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>> On Behalf Of Tom Reijnders
>> Sent: 20 June 2013 23:04
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>>
>> The fact that not all people have control over this was the reason for the fix. The old code called stripslashes regardless of the settings resulting in backslashes being removed from prior escapes and LaTeX expressions.
>>
>> But given your settings, I don't understand where the slashes as coming from.
>>
>> Tom
>> Ron Mitchell <ronm at mitchellmedia.co.uk<mailto:ronm at mitchellmedia.co.uk>> schreef:
>> Hi Tom
>> sorry for the delayed response been at an event all day and only just on the train home. Magic quotes settins are as follows:
>> magic_quotes_gpc Off Off
>> magic_quotes_runtime Off Off
>> magic_quotes_sybase Off Off
>>
>>
>> But this has been the case previously too when this wasn't a problem.
>> I have full control over this server which has 3 separate xot
>> installations so I could change the magic quotes settings but lots of
>> people obviously won't have control over that e.g. on share d hosting
>> etc
>>
>>
>> HTH
>> Ron
>>
>>
>> From:
>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis
>> t s.nottingham.ac.uk>
>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>> On Behalf Of Tom Reijnders
>> Sent: 20 June 2013 07:52
>> To: For Xerte technical developers
>> Subject: [Xerte-dev] Re: problem with trunk and added slashes?
>>
>>
>> It has probable caused by r958 (2.0) and r956(trunk). What are your magic_quote settings in php.ini?
>>
>> Tom
>> Op 19-6-2013 18:40, Ron Mitchell schreef:
>> Hi all
>> I just replied to a message from John where I've already mentioned
>> this but thought I should start a new thread too as this may be
>> unrelated to the main focus of that other thread…
>>
>> I updated a test install with the latest code from trunk and notice
>> that as soon as I edited and published an LO it was adding extra
>> slashes and thefore breaking preview/play. Here's some sample xml
>> showing the slashes that got added to both preview.xml and data.xml
>>
>>
>> <learningObject resume=\"true\" language=\"en-GB\" name=\"Learning
>> Object Title\" navigation=\"Linear\" textSize=\"12\"
>> displayMode=\"default\">
>>
>> <title linkID=\"PG1371648227672\" name=\"Enter Page Title\"
>> size=\"30\"><![CDATA[Enter title here]]></title>
>>
>> <textGraphics hidePanel=\"true\" linkID=\"PG1361433467001\"
>> name=\"Enter Page Title\" align=\"Left\" imagesize=\"full screen\"
>> url=\"FileLocation + \'media/800_x_516.jpg\'\" tip=\"Enter a Tooltip\"
>> transcriptbuttonlabel=\"Transcript\"><![CDATA[Enter text for the page
>> here]]></textGraphics>
>>
>> <textGraphics linkID=\"PG1359043029659\" name=\"Enter Page
>> Title\" align=\"Left\" imagesize=\"full screen\" url=\"FileLocation +
>> \'media/xpert_logo.gif\'\" tip=\"Enter a Tooltip\"
>> transcriptbuttonlabel=\"Transcript\"><![CDATA[Enter text for the page
>> here]]></textGraphics>
>>
>> </learningObject>
>>
>> I updated an install that was already version 2 but still quite a few revisions applied so not sure what revision is causing this but I reverted the code fixed the xml from my test project and all was fine. Re-applied the code and problem returned.
>>
>> Any ideas?
>>
>> HTH
>> Cheers
>> Ron
>>
>>
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> Xerte-dev mailing list
>>
>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.
>> uk>
>>
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>>
>> --
>>
>> --
>>
>>
>>
>> Tom Reijnders
>>
>> TOR Informatica
>>
>> Chopinlaan 27
>>
>> 5242HM Rosmalen
>>
>> Tel: 073 5226191
>>
>> Fax: 073 5226196
>>
>>
>>
>>
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>>
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>> ________________________________
>>
>>
>>
>> Xerte-dev mailing list
>>
>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.
>> uk>
>>
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>> --
>> Verzonden van mijn Android telefoon met K-9 Mail.
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> Xerte-dev mailing list
>>
>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.
>> uk>
>>
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>>
>>
>> --
>>
>> --
>>
>>
>>
>> Tom Reijnders
>>
>> TOR Informatica
>>
>> Chopinlaan 27
>>
>> 5242HM Rosmalen
>>
>> Tel: 073 5226191
>>
>> Fax: 073 5226196
>>
>>
>>
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>>
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>>
>>
>> Glasgow Caledonian University is a registered Scottish charity,
>> number
>> SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,
>> 6
>> 219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,
>> 1 5691,en.html _______________________________________________
>> Xerte-dev mailing list
>> Xerte-dev at lists.nottingham.ac.uk
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>>
>> _______________________________________________
>> Xerte-dev mailing list
>> Xerte-dev at lists.nottingham.ac.uk
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>>
>> Glasgow Caledonian University is a registered Scottish charity,
>> number
>> SC021474
>>
>> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,
>> 6
>> 219,en.html
>>
>> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,
>> 1
>> 5691,en.html
>>
>> _______________________________________________
>> Xerte-dev mailing list
>> Xerte-dev at lists.nottingham.ac.uk
>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>>
>> This message has been checked for viruses but the contents of an
>> attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6
> 219,en.html
>
> Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1
> 5691,en.html
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an
> attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>
>
>
>
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
More information about the Xerte-dev
mailing list