MDL-81491 enrol_lti: fix incorrect login_hint parameter type validation

This was always bad, but since we only used it to verify the existence of the param, and let library code take $_REQUEST for the real validation, it was ok. Now, since we're redirecting to self during necessary cookie checks added by MDL-80835, we lose the real value originally stored in $_REQUEST. This patch just fixes the param type, setting it to raw, which is what it should have used originally. The raw value won't be cast from a string to an int as part of the require_param call, so the value won't be lost any more.
2025-01-17 21:49:15 +01:00 · 2024-04-10 17:38:27 +08:00 · 2024-04-10 17:38:27 +08:00 · 1826c5e1d4
commit 1826c5e1d4
parent b621a7e4b3
1 changed files with 1 additions and 1 deletions
--- a/enrol/lti/login.php
+++ b/enrol/lti/login.php
@ -40,7 +40,7 @@ require_once(__DIR__."/../../config.php");
 // See http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login.
 // Validate these here, despite further validation in the LTI 1.3 library.
 $iss = required_param('iss', PARAM_URL); // Issuer URI of the calling platform.
-$loginhint = required_param('login_hint', PARAM_INT); // Platform ID for the person to login.
+$loginhint = required_param('login_hint', PARAM_RAW); // Platform ID for the person to login.
 $targetlinkuri = required_param('target_link_uri', PARAM_URL); // The took launch URL.

 // Optional lti_message_hint. See https://www.imsglobal.org/spec/lti/v1p3#additional-login-parameters-0.