MDL-46148 qtype_calculated: low-level defence against bad formulas

author Ankit Agarwal <ankit@moodle.com>

Thu, 10 Jul 2014 09:44:59 +0000 (17:44 +0800)

committer Damyon Wiese <damyon@moodle.com>

Thu, 10 Jul 2014 09:55:11 +0000 (17:55 +0800)
author Ankit Agarwal <ankit@moodle.com>
Thu, 10 Jul 2014 09:44:59 +0000 (17:44 +0800)
committer Damyon Wiese <damyon@moodle.com>
Thu, 10 Jul 2014 09:55:11 +0000 (17:55 +0800)
diff --git a/question/type/calculated/question.php b/question/type/calculated/question.php

index 40eb9ad..3d6876b 100644 (file)
--- a/question/type/calculated/question.php
+++ b/question/type/calculated/question.php
@@ -419,6 +419,10 @@ class qtype_calculated_variable_substituter {
       * @return float the computed result.
       */
      public function calculate($expression) {
+        // Make sure no malicious code is present in the expression. Refer MDL-46148 for details.
+        if ($error = qtype_calculated_find_formula_errors($expression)) {
+            throw new moodle_exception('illegalformulasyntax', 'qtype_calculated', '', $error);
+        }
          return $this->calculate_raw($this->substitute_values_for_eval($expression));
      }
author	Ankit Agarwal <ankit@moodle.com>
	Thu, 10 Jul 2014 09:44:59 +0000 (17:44 +0800)
committer	Damyon Wiese <damyon@moodle.com>
	Thu, 10 Jul 2014 09:55:11 +0000 (17:55 +0800)