Permalink
Browse files

MDL-20901 fixed input validation

  • Loading branch information...
skodak committed Nov 19, 2009
1 parent 06a6ed1 commit 1a5a7f122fbf8e4d9e8eeaf5a535dbb48ca03215
Showing with 4 additions and 3 deletions.
  1. +1 −0 enrol/manual/enrol.html
  2. +3 −3 enrol/manual/enrol.php
View
@@ -19,6 +19,7 @@
<input type="password" name="password" size="20" value="<?php p($password) ?>" />
<input type="hidden" name="id" value="<?php p($course->id) ?>" />
<input type="hidden" name="enrol" value="manual" />
+ <input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
<input type="submit" value="<?php print_string("enrolme") ?>" />
</td>
</tr>
View
@@ -64,12 +64,12 @@ function print_entry($course) {
print_header($strloginto, $course->fullname, "<a href=\".\">$strcourses</a> -> $strloginto");
echo '<br />';
- notice_yesno(get_string('enrolmentconfirmation'), "enrol.php?id=$course->id&amp;confirm=1",
+ notice_yesno(get_string('enrolmentconfirmation'), "enrol.php?id=$course->id&amp;confirm=1&amp;sesskey=".sesskey(),
"enrol.php?id=$course->id&amp;cancel=1");
print_footer();
exit;
- } else if (!empty($_GET['confirm'])) {
+ } else if (!empty($_GET['confirm']) and confirm_sesskey()) {
if (!enrol_into_course($course, $USER, 'manual')) {
print_error('couldnotassignrole');
@@ -130,7 +130,7 @@ function check_entry($form, $course) {
$form->password = '';
}
- if (empty($course->password)) {
+ if (empty($course->password) or !confirm_sesskey()) {
// do not allow entry when no course password set
// automatic login when manual primary, no login when secondary at all!!
error('illegal enrolment attempted');

0 comments on commit 1a5a7f1

Please sign in to comment.