MDL-61716 auth_oauth2: field names in mappings allow all characters

moodle · Apr 18, 2018 · 8b58e05 · 8b58e05
1 parent 3e3a083
commit 8b58e05
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/admin/tool/oauth2/lang/en/tool_oauth2.php b/admin/tool/oauth2/lang/en/tool_oauth2.php
@@ -96,6 +96,7 @@
 $string['usebasicauth'] = 'Authenticate token requests via HTTP headers';
 $string['usebasicauth_help'] = 'Utilise the HTTP Basic authentication scheme when sending client ID and password with a refresh token request. Recommended by the OAuth 2 standard, but may not be available with some issuers.';
 $string['userfieldexternalfield'] = 'External field name';
+$string['userfieldexternalfield_error'] = 'This field cannot contain HTML.';
 $string['userfieldexternalfield_help'] = 'Name of the field provided by the external OAuth system.';
 $string['userfieldinternalfield_help'] = 'Name of the Moodle user field that should be mapped from the external field.';
 $string['userfieldinternalfield'] = 'Internal field name';

diff --git a/lib/classes/oauth2/user_field_mapping.php b/lib/classes/oauth2/user_field_mapping.php
@@ -26,7 +26,7 @@
 defined('MOODLE_INTERNAL') || die();
 
 use core\persistent;
-
+use lang_string;
 /**
  * Class for loading/storing oauth2 user field mappings from the DB
  *
@@ -57,7 +57,7 @@ protected static function define_properties() {
                 'type' => PARAM_INT
             ),
             'externalfield' => array(
-                'type' => PARAM_ALPHANUMEXT,
+                'type' => PARAM_RAW_TRIMMED,
             ),
             'internalfield' => array(
                 'type' => PARAM_ALPHANUMEXT,
@@ -74,4 +74,17 @@ protected static function define_properties() {
     public function get_internalfield_list() {
         return array_combine(self::get_user_fields(), self::get_user_fields());
     }
+
+    /**
+     * Ensures that no HTML is saved to externalfield field
+     * but preserves all special characters that can be a part of the claim
+     * @return boolean true if validation is successful, string error if externalfield is not validated
+     */
+    protected function validate_externalfield($value){
+        // This parameter type is set to PARAM_RAW_TRIMMED and HTML check is done here.
+        if (clean_param($value, PARAM_NOTAGS) !== $value){
+            return new lang_string('userfieldexternalfield_error', 'tool_oauth2');
+        }
+        return true;
+    }
 }