Permalink
Browse files

MDL-33501 - oauth2lib: enforce sesskey in oauth2callback.php

The sesskey needs to be embeded in the local url returned as this is the
only parameter we have control of.
  • Loading branch information...
danpoltawski committed Jun 4, 2012
1 parent db7602a commit 5df1b737483c9d65e16a72e0937c1efd02edafa1
Showing with 17 additions and 5 deletions.
  1. +9 −1 admin/oauth2callback.php
  2. +4 −2 repository/googledocs/lib.php
  3. +4 −2 repository/picasa/lib.php
View
@@ -35,4 +35,12 @@
// The state parameter we've given (used in moodle as a redirect url).
$state = required_param('state', PARAM_LOCALURL);
redirect(new moodle_url($state, array('code' => $code)));
$redirecturl = new moodle_url($state);
$params = $redirecturl->params();
if (isset($params['sesskey']) and confirm_sesskey($params['sesskey'])) {
$redirecturl->param('code', $code);
redirect($redirecturl);
} else {
print_error('invalidsesskey');
}
@@ -39,8 +39,10 @@ class repository_googledocs extends repository {
public function __construct($repositoryid, $context = SYSCONTEXTID, $options = array()) {
parent::__construct($repositoryid, $context, $options);
$returnurl = new moodle_url('/repository/repository_callback.php',
array('callback' => 'yes', 'repo_id' =>$this->id));
$returnurl = new moodle_url('/repository/repository_callback.php');
$returnurl->param('callback', 'yes');
$returnurl->param('repo_id', $this->id);
$returnurl->param('sesskey', sesskey());
$clientid = get_config('googledocs', 'clientid');
$secret = get_config('googledocs', 'secret');
@@ -41,8 +41,10 @@ class repository_picasa extends repository {
public function __construct($repositoryid, $context = SYSCONTEXTID, $options = array()) {
parent::__construct($repositoryid, $context, $options);
$returnurl = new moodle_url('/repository/repository_callback.php',
array('callback' => 'yes', 'repo_id' =>$this->id));
$returnurl = new moodle_url('/repository/repository_callback.php');
$returnurl->param('callback', 'yes');
$returnurl->param('repo_id', $this->id);
$returnurl->param('sesskey', sesskey());
$clientid = get_config('picasa', 'clientid');
$secret = get_config('picasa', 'secret');

0 comments on commit 5df1b73

Please sign in to comment.