Permalink
Browse files

Security fix #2532

- Use json_decode/json_encode instead base64
- Add Security::remove_XSSS
  • Loading branch information...
jmontoyaa committed May 29, 2018
1 parent 9076126 commit 0de84700648f098c1fbf6b807dee28ec640efe62
Showing with 8 additions and 16 deletions.
  1. +4 −13 main/inc/lib/webservices/Rest.php
  2. +4 −3 main/webservices/api/v2.php
@@ -823,16 +823,9 @@ public function getCourseLearnPaths()
*/
public static function decodeParams($encoded)
{
$decoded = str_replace(['-', '_', '.'], ['+', '/', '='], $encoded);
$mod4 = strlen($decoded) % 4;
$decoded = json_decode($encoded);
if ($mod4) {
$decoded .= substr('====', $mod4);
}
$b64Decoded = base64_decode($decoded);
return unserialize($b64Decoded);
return $decoded;
}
/**
@@ -1319,10 +1312,8 @@ private function encodeParams(array $additionalParams = [])
'api_key' => $this->apiKey,
'username' => $this->user->getUsername(),
]);
$encoded = json_encode($params);
$strParams = serialize($params);
$b64Encoded = base64_encode($strParams);
return str_replace(['+', '/', '='], ['-', '_', '.'], $b64Encoded);
return $encoded;
}
}
@@ -6,9 +6,10 @@
if ($hash) {
$hashParams = Rest::decodeParams($hash);
foreach ($hashParams as $key => $value) {
$_REQUEST[$key] = $value;
if (!empty($hashParams)) {
foreach ($hashParams as $key => $value) {
$_REQUEST[$key] = Security::remove_XSS($value);
}
}
}

2 comments on commit 0de8470

@ywarnier

This comment has been minimized.

Copy link
Member

ywarnier replied May 29, 2018

That should go with a note in changelog.html (at the end, WS section) for 1.11.8 about changing web services (just in case someone would be using these REST services with the previous syntax)

@jmontoyaa

This comment has been minimized.

Copy link
Member

jmontoyaa replied May 29, 2018

I'm waiting confirmation that this fixes the error.

Please sign in to comment.