MDL-46148 qtype_calculated: low-level defence against bad formulas
authorAnkit Agarwal <ankit@moodle.com>
Thu, 10 Jul 2014 09:44:59 +0000 (17:44 +0800)
committerDamyon Wiese <damyon@moodle.com>
Thu, 10 Jul 2014 09:55:11 +0000 (17:55 +0800)
This catches things like:
 * Malicious equations coming from backup files.
 * Malicious equations in old questions in the database.

question/type/calculated/question.php

index 40eb9ad..3d6876b 100644 (file)
@@ -419,6 +419,10 @@ class qtype_calculated_variable_substituter {
      * @return float the computed result.
      */
     public function calculate($expression) {
+        // Make sure no malicious code is present in the expression. Refer MDL-46148 for details.
+        if ($error = qtype_calculated_find_formula_errors($expression)) {
+            throw new moodle_exception('illegalformulasyntax', 'qtype_calculated', '', $error);
+        }
         return $this->calculate_raw($this->substitute_values_for_eval($expression));
     }