Permalink
Browse files

MDL-44605 calendar: improved returnurl validation

Now we will only redirect to a local url (though sesskey was
already preventing this redirect from being open)
  • Loading branch information...
danpoltawski authored and stronk7 committed Jul 3, 2014
1 parent 85f3768 commit cb914a71aa30884da50ef1e77cb542d6873ae2ff
Showing with 3 additions and 3 deletions.
  1. +1 −1 calendar/lib.php
  2. +2 −2 calendar/set.php
View
@@ -1018,7 +1018,7 @@ function calendar_filter_controls(moodle_url $returnurl) {
$groupevents = true;
$id = optional_param( 'id',0,PARAM_INT );
$seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out(false)), 'sesskey'=>sesskey()));
$seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out_as_local_url(false)), 'sesskey'=>sesskey()));
$content = html_writer::start_tag('ul');
$seturl->param('var', 'showglobal');
View
@@ -44,14 +44,14 @@
require_sesskey();
$var = required_param('var', PARAM_ALPHA);
$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_URL);
$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_LOCALURL);
$courseid = optional_param('id', -1, PARAM_INT);
if ($courseid != -1) {
$return = new moodle_url($return, array('course' => $courseid));
} else {
$return = new moodle_url($return);
}
$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey()));
$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out_as_local_url(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey()));
$PAGE->set_url($url);
$PAGE->set_context(context_system::instance());

0 comments on commit cb914a7

Please sign in to comment.