[OO-4039] assignment dropbox directory can be overwritten with a file with assignment upload - OpenOLAT Issue Management

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 12.5.21
Fix Version/s: 12.5.22, 13.2.4
Component/s: Task
Labels:
- usability
Environment:

The original User Agent of the student:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:66.0) Gecko/20100101 Firefox/66.0

We were able to reproduce this on Linux, the original problematic Filename could be related to OSX though.

Funded by:
- frentix

Description

a student managed to replace the personal_xxx assignment folder in a gta dropbox with a file by just uploading a specially named file. the filename does not show up in the log line ("... Submit of 4466999514: upload document")

What exact filename the student used to trigger the issue is unknown yet, but we were able to reproduce the issue with the following steps:

$ touch \"\ \"

upload this file to an assignment with no uploads yet
the users dropbox directory is now an empty file

Submitting this solution results in an exception (see also testing.frentix.com/test6):

Error code: N6-E73 
Last business path:  https://testing.frentix.com/test6/url/RepositoryEntry/127336456 
Business path:  https://testing.frentix.com/test6/url/RepositoryEntry/127336456/CourseNode/99547278808892 
Date and time: 4/25/2019 4:57 PM
---------------------------------------------

<dispatchinfo>
<componentinfo>
<compname>run.submit.button</compname>
<compclass>org.olat.core.gui.components.link.Link</compclass>
<extendedinfo>n/a</extendedinfo>
<event>
<class&gt;org.olat.core.gui.control.Event</class&gt;
<command>submit</command>
<tostring>com:submit,org.olat.core.gui.control.Event@cadc4037</tostring>
</event>
</componentinfo>
<controllerinfo>
<controllername>org.olat.course.nodes.gta.ui.GTAParticipantController</controllername>
<controllername>org.olat.course.nodes.gta.ui.GTARunController</controllername>
<controllername>org.olat.course.run.RunMainController</controllername>
<controllername>org.olat.course.run.CourseRuntimeController</controllername>
<controllername>org.olat.core.commons.fullWebApp.BaseFullWebappController</controllername>
</controllerinfo>
</dispatchinfo>
Throwable: java.lang.NullPointerException

message:null,java.lang.NullPointerException

at org.olat.course.nodes.gta.ui.GTAParticipantController.doConfirmSubmit(GTAParticipantController.java:324)
at org.olat.course.nodes.gta.ui.GTAParticipantController.event(GTAParticipantController.java:718)
at org.olat.core.gui.control.DefaultController.dispatchEvent(DefaultController.java:202)
at org.olat.core.gui.components.AbstractComponent$1.run(AbstractComponent.java:240)
at org.olat.core.logging.activity.ThreadLocalUserActivityLoggerInstaller.runWithUserActivityLogger(ThreadLocalUserActivityLoggerInstaller.java:108)
at org.olat.core.gui.components.AbstractComponent.fireEvent(AbstractComponent.java:238)
at org.olat.core.gui.components.link.Link.dispatch(Link.java:200)
at org.olat.core.gui.components.link.Link.doDispatchRequest(Link.java:187)
at org.olat.core.gui.components.AbstractComponent.dispatchRequest(AbstractComponent.java:193)
at org.olat.core.gui.components.Window.doDispatchToComponent(Window.java:1193)

Attachments

Activity

People

Assignee:: Stéphane Rossé

Reporter:: Daniel Haag

Tester:: Mandy Menzel

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Apr/19 5:08 PM

Updated:: 26/Apr/19 1:43 PM

Resolved:: 25/Apr/19 7:59 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

50m