Security Fix: Make CustomTagModule safe

[Awais Jibran]

Hello all,

We have released a patch (which is linked below) for a security vulnerability in edxapp. 

Affected repo: edx-platform 
Branches: Ironwood, master

Due to this bug, CustomTagModule will execute arbitrary Mako templates that are imported as part of course's OLX. Since Mako templates can contain any Python code, we were allowing arbitrary Python code execution by course staff. This is an obscure Xmodule that has existed since the earliest prototype days of OpenEdx.

Without this patch, course teams could exploit the venerability by creating custom Mako templates in their course OLX. It can be used to import, display secret, run database queries and elevate privileges. The few cases we have looked so far, it has only been used as it was intended to be. 

We advise you to patch your instances as soon as possible and if you have any questions, feel free to reach out.

Thank you,

Links to patches

master: https://patch-diff.githubusercontent.com/raw/edx/edx-platform/pull/21348.patch

ironwood: https://patch-diff.githubusercontent.com/raw/edx/edx-platform/pull/21350.patch

[Ernesto Sanchez]

Hi, 

How  i can apply this patch?

[Pierre Mailhot]

Please look at https://www.poftut.com/patch-command-tutorial-with-examples-for-linux/ for more information on how to apply the patch.

Since this is a simple patch and involves only one file to patch, if you already know how diff works you can easily do it by hand too.

Remember that you will need to recompile your assets and restart the services afterwards.

[Régis Behmo]

For Tutor users: this patch was added to the v3.6.3 release today. You can now upgrade to the latest version to fix this security issue on your platform: https://docs.tutor.overhang.io/install.html

Régis