Security fix #2532

- Use json_decode/json_encode instead base64 - Add Security::remove_XSSS
chamilo · May 29, 2018 · 0de8470 · 0de8470 · ywarnier · May 29, 2018
1 parent 9076126
commit 0de8470
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 16 deletions.
diff --git a/main/inc/lib/webservices/Rest.php b/main/inc/lib/webservices/Rest.php
@@ -823,16 +823,9 @@ public function getCourseLearnPaths()
      */
     public static function decodeParams($encoded)
     {
-        $decoded = str_replace(['-', '_', '.'], ['+', '/', '='], $encoded);
-        $mod4 = strlen($decoded) % 4;
+        $decoded = json_decode($encoded);
 
-        if ($mod4) {
-            $decoded .= substr('====', $mod4);
-        }
-
-        $b64Decoded = base64_decode($decoded);
-
-        return unserialize($b64Decoded);
+        return $decoded;
     }
 
     /**
@@ -1319,10 +1312,8 @@ private function encodeParams(array $additionalParams = [])
             'api_key' => $this->apiKey,
             'username' => $this->user->getUsername(),
         ]);
+        $encoded = json_encode($params);
 
-        $strParams = serialize($params);
-        $b64Encoded = base64_encode($strParams);
-
-        return str_replace(['+', '/', '='], ['-', '_', '.'], $b64Encoded);
+        return $encoded;
     }
 }
diff --git a/main/webservices/api/v2.php b/main/webservices/api/v2.php
@@ -6,9 +6,10 @@
 
 if ($hash) {
     $hashParams = Rest::decodeParams($hash);
-
-    foreach ($hashParams as $key => $value) {
-        $_REQUEST[$key] = $value;
+    if (!empty($hashParams)) {
+        foreach ($hashParams as $key => $value) {
+            $_REQUEST[$key] = Security::remove_XSS($value);
+        }
     }
 }