mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 22:08:20 +01:00
Code Issues Projects Releases Wiki Activity

MDL-48109 mod_lesson: prevent CSRF on password protected lesson

Browse Source 
This commit add a new session key hidden field on the lesson password form
and confirm if the session key is valid on related pages to prevent CSRF on
password protected lessons.
This commit is contained in:
Simey Lameze 2015-09-10 15:31:47 +08:00 committed by Mr. Jenkins (CiBoT)
parent c73f6d03e5
commit 541c5b8552
3 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mod/lesson/mediafile.php
View File

@ -87,6 +87,7 @@ if (!$canmanage) {
} else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
$correctpass = false;
if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
require_sesskey();
// with or without md5 for backward compatibility (MDL-11090)
$USER->lessonloggedin[$lesson->id] = true;
$correctpass = true;
@ -94,6 +95,7 @@ if (!$canmanage) {
// Group overrides may have additional passwords.
foreach ($lesson->extrapasswords as $password) {
if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
require_sesskey();
$correctpass = true;
$USER->lessonloggedin[$lesson->id] = true;
}

1
mod/lesson/renderer.php
View File

@ -113,6 +113,7 @@ class mod_lesson_renderer extends plugin_renderer_base {
$output .= '<form id="password" method="post" action="'.$CFG->wwwroot.'/mod/lesson/view.php" autocomplete="off">';
$output .= '<fieldset class="invisiblefieldset center">';
$output .= '<input type="hidden" name="id" value="'. $this->page->cm->id .'" />';
$output .= '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
if ($failedattempt) {
$output .= $this->output->notification(get_string('loginfail', 'lesson'));
}

3
mod/lesson/view.php
View File

@ -86,14 +86,17 @@ if (!$canmanage) {
} else if ($lesson->usepassword && empty($USER->lessonloggedin[$lesson->id])) { // Password protected lesson code
$correctpass = false;
if (!empty($userpassword) && (($lesson->password == md5(trim($userpassword))) || ($lesson->password == trim($userpassword)))) {
require_sesskey();
// with or without md5 for backward compatibility (MDL-11090)
$correctpass = true;
$USER->lessonloggedin[$lesson->id] = true;
} else if (isset($lesson->extrapasswords)) {
// Group overrides may have additional passwords.
foreach ($lesson->extrapasswords as $password) {
if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
require_sesskey();
$correctpass = true;
$USER->lessonloggedin[$lesson->id] = true;
}