blocks editing ui: MDL-19398 fix adding a block to a page that forgets to call $PAGE...

diff --git a/lib/blocklib.php b/lib/blocklib.php
index 83d238f2f8c8fd9fc9148b7c07f53b768fce1773..5eb1f7f50cb402c29a626d27505621d8686ec596 100644 (file)
--- a/lib/blocklib.php
+++ b/lib/blocklib.php
@@ -171,7 +171,7 @@ class block_manager {
     /**
      * The list of block types that may be added to this page.
      *
-     * @return array block id => record from block table.
+     * @return array block name => record from block table.
      */
     public function get_addable_blocks() {
         $this->check_is_loaded();
@@ -863,6 +863,8 @@ function block_process_url_add($page) {
         return false;
     }
 
+    confirm_sesskey();
+
     if (!$page->user_is_editing() && !$page->user_can_edit_blocks()) {
         throw new moodle_exception('nopermissions', '', $page->url->out(), get_string('addblock'));
     }
@@ -873,7 +875,8 @@ function block_process_url_add($page) {
 
     $page->blocks->add_block_at_end_of_default_region($blocktype);
 
-    $page->url->remove_params('bui_addblock');
+    // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there.
+    $page->ensure_param_not_in_url('bui_addblock');
 
     return true;
 }
@@ -889,10 +892,13 @@ function block_process_url_delete($page) {
         return false;
     }
 
+    confirm_sesskey();
+
     $instance = $page->blocks->find_instance($blockid);
     blocks_delete_instance($instance->instance);
 
-    $page->url->remove_params('bui_deleteid');
+    // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there.
+    $page->ensure_param_not_in_url('bui_deleteid');
 
     return true;
 }

diff --git a/lib/pagelib.php b/lib/pagelib.php
index be7b6a0fbf20d78b4b9d38939e437ff0ada2817f..bb2337a939792d8a6fe65e7772dbe767e2d49828 100644 (file)
--- a/lib/pagelib.php
+++ b/lib/pagelib.php
@@ -337,7 +337,9 @@ class moodle_page {
         if (is_null($this->_url)) {
             debugging('This page did no call $PAGE->set_url(...). Realying on a guess.', DEBUG_DEVELOPER);
             global $FULLME;
-            return new moodle_url($FULLME);
+            $this->_url = new moodle_url($FULLME);
+            // Make sure the guessed URL cannot lead to dangerous redirects.
+            $this->_url->remove_params('sesskey');
         }
         return new moodle_url($this->_url); // Return a clone for safety.
     }
@@ -715,6 +717,23 @@ class moodle_page {
         }
     }
 
+    /**
+     * Make sure page URL does not contain the given URL parameter.
+     *
+     * This should not be necessary if the script has called set_url properly.
+     * However, in some situations like the block editing actions; when the URL
+     * has been guessed, it will contain dangerous block-related actions.
+     * Therefore, the blocks code calls this function to clean up such parameters
+     * before doing any redirect.
+     * 
+     * @param string $param the name of the parameter to make sure is not in the
+     * page URL.
+     */
+    public function ensure_param_not_in_url($param) {
+        $discard = $this->url; // Make sure $this->url is lazy-loaded;
+        $this->_url->remove_params($param);
+    }
+
     /**
      * There can be alternate versions of some pages (for example an RSS feed version).
      * If such other version exist, call this method, and a link to the alternate