Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-4039

assignment dropbox directory can be overwritten with a file with assignment upload

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 12.5.21
    • 12.5.22, 13.2.4
    • Task

    • The original User Agent of the student:

      Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:66.0) Gecko/20100101 Firefox/66.0

      We were able to reproduce this on Linux, the original problematic Filename could be related to OSX though.

      Description

      a student managed to replace the personal_xxx assignment folder in a gta dropbox with a file by just uploading a specially named file. the filename does not show up in the log line ("... Submit of 4466999514: upload document")

      What exact filename the student used to trigger the issue is unknown yet, but we were able to reproduce the issue with the following steps:

      $ touch \"\ \"

      upload this file to an assignment with no uploads yet
      the users dropbox directory is now an empty file

      Submitting this solution results in an exception (see also testing.frentix.com/test6):

      Error code: N6-E73 
Last business path:  https://testing.frentix.com/test6/url/RepositoryEntry/127336456 
Business path:  https://testing.frentix.com/test6/url/RepositoryEntry/127336456/CourseNode/99547278808892 
Date and time: 4/25/2019 4:57 PM
---------------------------------------------

<dispatchinfo>
<componentinfo>
<compname>run.submit.button</compname>
<compclass>org.olat.core.gui.components.link.Link</compclass>
<extendedinfo>n/a</extendedinfo>
<event>
<class&gt;org.olat.core.gui.control.Event</class&gt;
<command>submit</command>
<tostring>com:submit,org.olat.core.gui.control.Event@cadc4037</tostring>
</event>
</componentinfo>
<controllerinfo>
<controllername>org.olat.course.nodes.gta.ui.GTAParticipantController</controllername>
<controllername>org.olat.course.nodes.gta.ui.GTARunController</controllername>
<controllername>org.olat.course.run.RunMainController</controllername>
<controllername>org.olat.course.run.CourseRuntimeController</controllername>
<controllername>org.olat.core.commons.fullWebApp.BaseFullWebappController</controllername>
</controllerinfo>
</dispatchinfo>
Throwable: java.lang.NullPointerException

message:null,java.lang.NullPointerException

at org.olat.course.nodes.gta.ui.GTAParticipantController.doConfirmSubmit(GTAParticipantController.java:324)
at org.olat.course.nodes.gta.ui.GTAParticipantController.event(GTAParticipantController.java:718)
at org.olat.core.gui.control.DefaultController.dispatchEvent(DefaultController.java:202)
at org.olat.core.gui.components.AbstractComponent$1.run(AbstractComponent.java:240)
at org.olat.core.logging.activity.ThreadLocalUserActivityLoggerInstaller.runWithUserActivityLogger(ThreadLocalUserActivityLoggerInstaller.java:108)
at org.olat.core.gui.components.AbstractComponent.fireEvent(AbstractComponent.java:238)
at org.olat.core.gui.components.link.Link.dispatch(Link.java:200)
at org.olat.core.gui.components.link.Link.doDispatchRequest(Link.java:187)
at org.olat.core.gui.components.AbstractComponent.dispatchRequest(AbstractComponent.java:193)
at org.olat.core.gui.components.Window.doDispatchToComponent(Window.java:1193)

        Attachments

          Activity

            People

            srosse Stéphane Rossé
            d.haag Daniel Haag
            Mandy Menzel Mandy Menzel
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 50 minutes
                50m