MDL-70622 mod_lti: Prevent xss on lti 1.3 authentication script

Without this, people can craft URLs that other users might use not realising what they do - and as a XSS vulnerability, it could do any number of things the clicking-user has access to do on the site. Change-Id: I82adc71e8706d8929011b4b24523d5b62b8ccea1
moodle · May 7, 2021 · 752ad3d · 752ad3d
1 parent 3482ce5
commit 752ad3d
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/mod/lti/auth.php b/mod/lti/auth.php
@@ -68,12 +68,14 @@
     $ok = false;
     $error = 'access_denied';
 }
-if ($ok) {
+
+// If we're unable to load up config; we cannot trust the redirect uri for POSTing to.
+if (empty($config)) {
+    throw new moodle_exception('invalidrequest', 'error');
+} else {
     $uris = array_map("trim", explode("\n", $config->lti_redirectionuris));
-    $ok = in_array($redirecturi, $uris);
-    if (!$ok) {
-        $error = 'invalid_request';
-        $desc = 'Unregistered redirect_uri ' . $redirecturi;
+    if (!in_array($redirecturi, $uris)) {
+        throw new moodle_exception('invalidrequest', 'error');
     }
 }
 if ($ok) {