CVE-2019-3847

@@ -39,3 +39,4 @@
 $string['resetpage'] = 'Reset page to default';
 $string['reseterror'] = 'There was an error resetting your page';
 $string['privacy:metadata:core_my:preference:user_home_page_preference'] = 'The user home page preference configured for the Dashboard page.';
+$string['unabletoaccess'] = 'As a security precaution, you may not access another user\'s dashboard';

@@ -45,6 +45,13 @@
 
 require_login();
 
+if (\core\session\manager::is_loggedinas()) {
+    // Disable access to the user's dashboard for "logged in as" sessions
+    // to mitigate risks associated with loading other users' JavaScript.
+    // See MDL-63786 for more information.
+    redirect(new moodle_url('/', ['redirect' => 0]), get_string('unabletoaccess', 'core_my'));
+}
+
 $hassiteconfig = has_capability('moodle/site:config', context_system::instance());
 if ($hassiteconfig && moodle_needs_upgrading()) {
     redirect(new moodle_url('/admin/index.php'));

@@ -38,3 +38,4 @@
 $string['reseteveryonesprofile'] = 'Reset profile for all users';
 $string['resetpage'] = 'Reset page to default';
 $string['reseterror'] = 'There was an error resetting your page';
+$string['unabletoaccess'] = 'As a security precaution, you may not access another user\'s dashboard';

@@ -45,6 +45,13 @@
 
 require_login();
 
+if (\core\session\manager::is_loggedinas()) {
+    // Disable access to the user's dashboard for "logged in as" sessions
+    // to mitigate risks associated with loading other users' JavaScript.
+    // See MDL-63786 for more information.
+    redirect(new moodle_url('/', ['redirect' => 0]), get_string('unabletoaccess', 'core_my'));
+}
+
 $hassiteconfig = has_capability('moodle/site:config', context_system::instance());
 if ($hassiteconfig && moodle_needs_upgrading()) {
     redirect(new moodle_url('/admin/index.php'));

@@ -79,6 +79,9 @@
 
 // Login as this user and return to course home page.
 \core\session\manager::loginas($userid, $context);
+// Add a notification to let the logged in as user know that all content will be force cleaned
+// while in this session.
+\core\notification::info(get_string('sessionforceclean', 'core'));
 $newfullname = fullname($USER, true);
 
 $strloginas    = get_string('loginas');

@@ -1799,6 +1799,7 @@
 $string['separateandconnectedinfo'] = 'The scale based on the theory of separate and connected knowing. This theory describes two different ways that we can evaluate and learn about the things we see and hear.<ul><li><strong>Separate knowers</strong> remain as objective as possible without including feelings and emotions. In a discussion with other people, they like to defend their own ideas, using logic to find holes in opponent\'s ideas.</li><li><strong>Connected knowers</strong> are more sensitive to other people. They are skilled at empathy and tend to listen and ask questions until they feel they can connect and "understand things from their point of view". They learn by trying to share the experiences that led to the knowledge they find in other people.</li></ul>';
 $string['servererror'] = 'An error occurred whilst communicating with the server';
 $string['serverlocaltime'] = 'Server\'s local time';
+$string['sessionforceclean'] = 'As a security precaution, user generated scripts have been disabled within this session';
 $string['setcategorytheme'] = 'Set category theme';
 $string['setpassword'] = 'Set password';
 $string['setpasswordinstructions'] = 'Please enter your new password below, then save changes.';

@@ -2693,6 +2693,13 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
     // Make sure the USER has a sesskey set up. Used for CSRF protection.
     sesskey();
 
+    if (\core\session\manager::is_loggedinas()) {
+        // During a "logged in as" session we should force all content to be cleaned because the
+        // logged in user will be viewing potentially malicious user generated content.
+        // See MDL-63786 for more details.
+        $CFG->forceclean = true;
+    }
+
     // Do not bother admins with any formalities, except for activities pending deletion.
     if (is_siteadmin() && !($cm && $cm->deletioninprogress)) {
         // Set the global $COURSE.

@@ -79,6 +79,9 @@
 
 // Login as this user and return to course home page.
 \core\session\manager::loginas($userid, $context);
+// Add a notification to let the logged in as user know that all content will be force cleaned
+// while in this session.
+\core\notification::info(get_string('sessionforceclean', 'core'));
 $newfullname = fullname($USER, true);
 
 $strloginas    = get_string('loginas');

@@ -1808,6 +1808,7 @@
 $string['separateandconnectedinfo'] = 'The scale based on the theory of separate and connected knowing. This theory describes two different ways that we can evaluate and learn about the things we see and hear.<ul><li><strong>Separate knowers</strong> remain as objective as possible without including feelings and emotions. In a discussion with other people, they like to defend their own ideas, using logic to find holes in opponent\'s ideas.</li><li><strong>Connected knowers</strong> are more sensitive to other people. They are skilled at empathy and tend to listen and ask questions until they feel they can connect and "understand things from their point of view". They learn by trying to share the experiences that led to the knowledge they find in other people.</li></ul>';
 $string['servererror'] = 'An error occurred whilst communicating with the server';
 $string['serverlocaltime'] = 'Server\'s local time';
+$string['sessionforceclean'] = 'As a security precaution, user generated scripts have been disabled within this session';
 $string['setcategorytheme'] = 'Set category theme';
 $string['setpassword'] = 'Set password';
 $string['setpasswordinstructions'] = 'Please enter your new password below, then save changes.';

@@ -2757,6 +2757,13 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
     // Make sure the USER has a sesskey set up. Used for CSRF protection.
     sesskey();
 
+    if (\core\session\manager::is_loggedinas()) {
+        // During a "logged in as" session we should force all content to be cleaned because the
+        // logged in user will be viewing potentially malicious user generated content.
+        // See MDL-63786 for more details.
+        $CFG->forceclean = true;
+    }
+
     // Do not bother admins with any formalities, except for activities pending deletion.
     if (is_siteadmin() && !($cm && $cm->deletioninprogress)) {
         // Set the global $COURSE.

@@ -79,6 +79,9 @@
 
 // Login as this user and return to course home page.
 \core\session\manager::loginas($userid, $context);
+// Add a notification to let the logged in as user know that all content will be force cleaned
+// while in this session.
+\core\notification::info(get_string('sessionforceclean', 'core'));
 $newfullname = fullname($USER, true);
 
 $strloginas    = get_string('loginas');

@@ -1804,6 +1804,7 @@
 $string['separateandconnectedinfo'] = 'The scale based on the theory of separate and connected knowing. This theory describes two different ways that we can evaluate and learn about the things we see and hear.<ul><li><strong>Separate knowers</strong> remain as objective as possible without including feelings and emotions. In a discussion with other people, they like to defend their own ideas, using logic to find holes in opponent\'s ideas.</li><li><strong>Connected knowers</strong> are more sensitive to other people. They are skilled at empathy and tend to listen and ask questions until they feel they can connect and "understand things from their point of view". They learn by trying to share the experiences that led to the knowledge they find in other people.</li></ul>';
 $string['servererror'] = 'An error occurred whilst communicating with the server';
 $string['serverlocaltime'] = 'Server\'s local time';
+$string['sessionforceclean'] = 'As a security precaution, user generated scripts have been disabled within this session';
 $string['setcategorytheme'] = 'Set category theme';
 $string['setpassword'] = 'Set password';
 $string['setpasswordinstructions'] = 'Please enter your new password below, then save changes.';

@@ -2757,6 +2757,13 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
     // Make sure the USER has a sesskey set up. Used for CSRF protection.
     sesskey();
 
+    if (\core\session\manager::is_loggedinas()) {
+        // During a "logged in as" session we should force all content to be cleaned because the
+        // logged in user will be viewing potentially malicious user generated content.
+        // See MDL-63786 for more details.
+        $CFG->forceclean = true;
+    }
+
     // Do not bother admins with any formalities, except for activities pending deletion.
     if (is_siteadmin() && !($cm && $cm->deletioninprogress)) {
         // Set the global $COURSE.