Skip to content
Permalink
Browse files

MDL-48109 mod_lesson: prevent CSRF on lesson

This commit add a new session key hidden field on the lesson password form
and confirm if the session key is valid on related pages to prevent CSRF on
password protected lessons.
  • Loading branch information...
lameze authored and Mr. Jenkins (CiBoT) committed Sep 14, 2015
1 parent 26da47c commit f75333766c7295932baa72a9dbe9542baf14e107
Showing with 3 additions and 0 deletions.
  1. +1 −0 mod/lesson/mediafile.php
  2. +1 −0 mod/lesson/renderer.php
  3. +1 −0 mod/lesson/view.php
@@ -84,6 +84,7 @@
} else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
$correctpass = false;
if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
require_sesskey();
// with or without md5 for backward compatibility (MDL-11090)
$USER->lessonloggedin[$lesson->id] = true;
if ($lesson->highscores) {
@@ -113,6 +113,7 @@ public function login_prompt(lesson $lesson, $failedattempt = false) {
$output .= '<form id="password" method="post" action="'.$CFG->wwwroot.'/mod/lesson/view.php" autocomplete="off">';
$output .= '<fieldset class="invisiblefieldset center">';
$output .= '<input type="hidden" name="id" value="'. $this->page->cm->id .'" />';
$output .= '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
if ($failedattempt) {
$output .= $this->output->notification(get_string('loginfail', 'lesson'));
}
@@ -83,6 +83,7 @@
} else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
$correctpass = false;
if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
require_sesskey();
// with or without md5 for backward compatibility (MDL-11090)
$USER->lessonloggedin[$lesson->id] = true;
if ($lesson->highscores) {

0 comments on commit f753337

Please sign in to comment.
You can’t perform that action at this time.