From 727ae4362ecf61edf4ae8bc3e04952135517fb2d Mon Sep 17 00:00:00 2001 From: tjhunt Date: Tue, 14 Jul 2009 10:41:59 +0000 Subject: [PATCH] blocks editing ui: MDL-19398 fix adding a block to a page that forgets to call $PAGE->set_url. --- lib/blocklib.php | 12 +++++++++--- lib/pagelib.php | 21 ++++++++++++++++++++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/lib/blocklib.php b/lib/blocklib.php index 83d238f2f8..5eb1f7f50c 100644 --- a/lib/blocklib.php +++ b/lib/blocklib.php @@ -171,7 +171,7 @@ class block_manager { /** * The list of block types that may be added to this page. * - * @return array block id => record from block table. + * @return array block name => record from block table. */ public function get_addable_blocks() { $this->check_is_loaded(); @@ -863,6 +863,8 @@ function block_process_url_add($page) { return false; } + confirm_sesskey(); + if (!$page->user_is_editing() && !$page->user_can_edit_blocks()) { throw new moodle_exception('nopermissions', '', $page->url->out(), get_string('addblock')); } @@ -873,7 +875,8 @@ function block_process_url_add($page) { $page->blocks->add_block_at_end_of_default_region($blocktype); - $page->url->remove_params('bui_addblock'); + // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there. + $page->ensure_param_not_in_url('bui_addblock'); return true; } @@ -889,10 +892,13 @@ function block_process_url_delete($page) { return false; } + confirm_sesskey(); + $instance = $page->blocks->find_instance($blockid); blocks_delete_instance($instance->instance); - $page->url->remove_params('bui_deleteid'); + // If the page URL was a guses, it will contain the bui_... param, so we must make sure it is not there. + $page->ensure_param_not_in_url('bui_deleteid'); return true; } diff --git a/lib/pagelib.php b/lib/pagelib.php index be7b6a0fbf..bb2337a939 100644 --- a/lib/pagelib.php +++ b/lib/pagelib.php @@ -337,7 +337,9 @@ class moodle_page { if (is_null($this->_url)) { debugging('This page did no call $PAGE->set_url(...). Realying on a guess.', DEBUG_DEVELOPER); global $FULLME; - return new moodle_url($FULLME); + $this->_url = new moodle_url($FULLME); + // Make sure the guessed URL cannot lead to dangerous redirects. + $this->_url->remove_params('sesskey'); } return new moodle_url($this->_url); // Return a clone for safety. } @@ -715,6 +717,23 @@ class moodle_page { } } + /** + * Make sure page URL does not contain the given URL parameter. + * + * This should not be necessary if the script has called set_url properly. + * However, in some situations like the block editing actions; when the URL + * has been guessed, it will contain dangerous block-related actions. + * Therefore, the blocks code calls this function to clean up such parameters + * before doing any redirect. + * + * @param string $param the name of the parameter to make sure is not in the + * page URL. + */ + public function ensure_param_not_in_url($param) { + $discard = $this->url; // Make sure $this->url is lazy-loaded; + $this->_url->remove_params($param); + } + /** * There can be alternate versions of some pages (for example an RSS feed version). * If such other version exist, call this method, and a link to the alternate -- 2.39.5