Commit 752ad3d8 authored by Adam Olley's avatar Adam Olley Committed by Jake Dallimore
Browse files

MDL-70622 mod_lti: Prevent xss on lti 1.3 authentication script

Without this, people can craft URLs that other users might use not realising
what they do - and as a XSS vulnerability, it could do any number of things the
clicking-user has access to do on the site.

Change-Id: I82adc71e8706d8929011b4b24523d5b62b8ccea1
parent 3482ce5f
......@@ -68,12 +68,14 @@ if ($ok && ($loginhint !== $USER->id)) {
$ok = false;
$error = 'access_denied';
}
if ($ok) {
// If we're unable to load up config; we cannot trust the redirect uri for POSTing to.
if (empty($config)) {
throw new moodle_exception('invalidrequest', 'error');
} else {
$uris = array_map("trim", explode("\n", $config->lti_redirectionuris));
$ok = in_array($redirecturi, $uris);
if (!$ok) {
$error = 'invalid_request';
$desc = 'Unregistered redirect_uri ' . $redirecturi;
if (!in_array($redirecturi, $uris)) {
throw new moodle_exception('invalidrequest', 'error');
}
}
if ($ok) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment