1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
## msa080010_hotpot.dpatch by Kees Cook <kees@ubuntu.com>
4
## All lines beginning with `## DP:' are a description of the patch.
5
## DP: Patch SQL injection bug in hotpot module (MSA-08-0010).
6
## DP: Thanks to Dan Poltawski.
9
diff -Nru moodle-1.8.2/mod/hotpot/report.php moodle-1.8.2.dfsg/mod/hotpot/report.php
10
--- moodle-1.8.2/mod/hotpot/report.php 2007-05-15 19:47:39.000000000 -0700
11
+++ moodle-1.8.2.dfsg/mod/hotpot/report.php 2009-02-12 11:09:06.000000000 -0800
13
$select = "hotpot='$hotpot->id' AND status=".HOTPOT_STATUS_ABANDONED;
16
- $ids = (array)data_submitted();
21
+ $data = (array)data_submitted();
22
+ foreach ($data as $name => $value) {
23
+ if (preg_match('/^box\d+$/', $name)) {
24
+ $ids[] = intval($value);
28
$select = "hotpot='$hotpot->id' AND clickreportid IN (".implode(',', $ids).")";