Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

flash detection MDL-20841 Added sesskey checking to the environment s…

…cript to prevent DoS to users (Thanks for the catch Petr!)
  • Loading branch information...
commit 5459e76dd1ed71af1ea7fe3ac2003ef2b29a55f4 1 parent 182951c
@moodler moodler authored
Showing with 5 additions and 4 deletions.
  1. +3 −4 lib/weblib.php
  2. +2 −0  login/environment.php
View
7 lib/weblib.php
@@ -2480,8 +2480,8 @@ function print_header ($title='', $heading='', $navigation='', $focus='',
}
define('HEADER_PRINTED', 'true');
-/// Perform some browser environment checks
- if (!empty($CFG->excludeoldflashclients) && empty($SESSION->flashversion)) { // Do a single check per session for the flash version
+/// Perform a browser environment check for the flash version. Should only run once per login session.
+ if (isloggedin() && !empty($CFG->excludeoldflashclients) && empty($SESSION->flashversion)) {
// Unfortunately we can't use require_js here and keep it all clean in 1.9 ...
// require_js(array('yui_yahoo', 'yui_event', 'yui_connection', $CFG->httpswwwroot."/lib/swfobject/swfobject.js"));
$meta .= '<script type="text/javascript" src="'.$CFG->wwwroot.'/lib/yui/yahoo/yahoo-min.js"></script>';
@@ -2491,9 +2491,8 @@ function print_header ($title='', $heading='', $navigation='', $focus='',
$meta .=
"<script type=\"text/javascript\">\n".
" var flashversion = swfobject.getFlashPlayerVersion();\n".
- " YAHOO.util.Connect.asyncRequest('GET','".$CFG->wwwroot."/login/environment.php?flashversion='+flashversion.major+'.'+flashversion.minor+'.'+flashversion.release);\n".
+ " YAHOO.util.Connect.asyncRequest('GET','".$CFG->wwwroot."/login/environment.php?sesskey=".sesskey()."&flashversion='+flashversion.major+'.'+flashversion.minor+'.'+flashversion.release);\n".
"</script>";
-
}
View
2  login/environment.php
@@ -5,6 +5,8 @@
require('../config.php');
+require_sesskey();
+
if (!empty($SESSION)) {
if ($flashversion = optional_param('flashversion', false, PARAM_TEXT)) { // eg 10.0.32
$SESSION->flashversion = $flashversion;
Please sign in to comment.
Something went wrong with that request. Please try again.