MDL-35238 Accept $CFG->alternativeupdateproviderurl from config.php f…

…ile only There was a potential security risk that someone with access to the Moodle database could update mdl_config table and use it as a vector to install malicious code on the server. Credit goes to Dan Poltawski for raising this.
moodle · Nov 8, 2012 · 56c0508 · 56c0508
1 parent dc11af1
commit 56c0508
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/pluginlib.php b/lib/pluginlib.php
@@ -987,8 +987,8 @@ protected function compare_responses(array $old, array $new) {
     protected function prepare_request_url() {
         global $CFG;
 
-        if (!empty($CFG->alternativeupdateproviderurl)) {
+        if (!empty($CFG->config_php_settings['alternativeupdateproviderurl'])) {
-            return $CFG->alternativeupdateproviderurl;
+            return $CFG->config_php_settings['alternativeupdateproviderurl'];
         } else {
             return 'http://download.moodle.org/api/1.1/updates.php';
         }