From 7228f7963fdff07f5e40e6cd333c8c1a3c89f9b7 Mon Sep 17 00:00:00 2001 From: moodler Date: Fri, 1 Oct 2004 15:06:39 +0000 Subject: [PATCH] Merged sesskey stuff from stable --- course/teacher.php | 10 +++++----- lib/moodlelib.php | 46 ++++++++++++++++++++++++++++++---------------- login/index.php | 3 ++- 3 files changed, 37 insertions(+), 22 deletions(-) diff --git a/course/teacher.php b/course/teacher.php index 06a5b6e656..0007f26a68 100644 --- a/course/teacher.php +++ b/course/teacher.php @@ -95,7 +95,7 @@ /// Add a teacher if one is specified - if (!empty($_GET['add'])) { + if (!empty($_GET['add']) and confirm_sesskey()) { if (! add_teacher($add, $course->id)) { error("Could not add that teacher to this course!"); } @@ -103,9 +103,9 @@ /// Remove a teacher if one is specified. - if (!empty($_GET['remove'])) { + if (!empty($_GET['remove']) and confirm_sesskey()) { if (! remove_teacher($remove, $course->id)) { - error("Could not add that teacher to this course!"); + error("Could not remove that teacher from this course!"); } } @@ -150,7 +150,7 @@ $editall = choose_from_menu ($editmenu, "e$teacher->id", $teacher->editall, "", "", "", true); } - $removelink = "id&remove=$teacher->id\">$strremoveteacher"; + $removelink = "id&remove=$teacher->id&sesskey=$USER->sesskey\">$strremoveteacher"; if (!$teacher->role) { $teacher->role = $course->teacher; @@ -201,7 +201,7 @@ foreach ($users as $user) { - $addlink = "id&add=$user->id\">$straddteacher"; + $addlink = "id&add=$user->id&sesskey=$USER->sesskey\">$straddteacher"; $picture = print_user_picture($user->id, $course->id, $user->picture, false, true); $table->data[] = array ($picture, fullname($user, true), $user->email, $addlink); } diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 9a53d04183..3486e46691 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -115,8 +115,6 @@ define('PARAM_INTEGER', 0x02); * @return mixed */ function required_param($varname, $options=PARAM_CLEAN) { -/// This function will replace require_variable over time -/// It returns a value for a given variable name. if (isset($_POST[$varname])) { // POST has precedence $param = $_POST[$varname]; @@ -144,8 +142,6 @@ function required_param($varname, $options=PARAM_CLEAN) { * @return mixed */ function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) { -/// This function will replace both of the above two functions over time. -/// It returns a value for a given variable name. if (isset($_POST[$varname])) { // POST has precedence $param = $_POST[$varname]; @@ -168,10 +164,8 @@ function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) { * @return mixed */ function clean_param($param, $options) { -/// Given a parameter and a bitfield of options, this function -/// will clean it up and give it the required type, etc. - if ($param == (int)$param) { // It's just an integer + if ((string)$param == (string)(int)$param) { // It's just an integer return (int)$param; } @@ -187,15 +181,38 @@ function clean_param($param, $options) { } /** - * Ensure that a variable is set or display error + * For security purposes, this function will check that the currently + * given sesskey (passed as a parameter to the script or this function) + * matches that of the current user. * - * If $var is undefined display an error message using the {@link error()} function. - * This function will soon be made obsolete by {@link parameter()} + * @param string $sesskey optionally provided sesskey + * @return boolean + */ +function confirm_sesskey($sesskey=NULL) { + global $USER; + + if (empty($sesskey)) { + $sesskey = required_param('sesskey'); // Check script parameters + } + + if (!isset($USER->sesskey)) { + return false; + } + + return ($USER->sesskey === $sesskey); +} + + +/** + * Ensure that a variable is set * - * @param mixed $var the variable which may not be set + * If $var is undefined throw an error, otherwise return $var. + * This function will soon be made obsolete by {@link required_param()} + * + * @param mixed $var the variable which may be unset + * @param mixed $default the value to return if $var is unset */ function require_variable($var) { -/// Variable must be present if (! isset($var)) { error('A required parameter was missing'); } @@ -206,20 +223,17 @@ function require_variable($var) { * Ensure that a variable is set * * If $var is undefined set it (by reference), otherwise return $var. - * This function is very similar to {@link nvl()} - * This function will soon be made obsolete by {@link parameter()} + * This function will soon be made obsolete by {@link optional_param()} * * @param mixed $var the variable which may be unset * @param mixed $default the value to return if $var is unset */ function optional_variable(&$var, $default=0) { -/// Variable may be present, if not then set a default if (! isset($var)) { $var = $default; } } - /** * Set a key in global configuration * diff --git a/login/index.php b/login/index.php index 5128ff1e1b..47fc12b49d 100644 --- a/login/index.php +++ b/login/index.php @@ -70,7 +70,8 @@ $USER->description = true; // No need to cart all of it around } $USER->loggedin = true; - $USER->site = $CFG->wwwroot; // for added security + $USER->site = $CFG->wwwroot; // for added security, store the site in the session + $USER->sesskey = random_string(10); // for added security, used to check script parameters if ($USER->username == "guest") { $USER->lang = $CFG->lang; // Guest language always same as site -- 2.39.5