From d12cdcbd7d9783b078013e3a2227a8f226aef6e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Mudr=C3=A1k?= <david@moodle.com>
Date: Thu, 15 Feb 2018 12:50:46 +0100
Subject: [PATCH] MDL-61392 enrol_paypal: Improve IPN input parameters checking

---
 enrol/paypal/ipn.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/enrol/paypal/ipn.php b/enrol/paypal/ipn.php
index b3cde16be30..a5b09a543c7 100644
--- a/enrol/paypal/ipn.php
+++ b/enrol/paypal/ipn.php
@@ -65,11 +65,27 @@ $req = 'cmd=_notify-validate';
 $data = new stdClass();
 
 foreach ($_POST as $key => $value) {
+    if ($key !== clean_param($key, PARAM_ALPHANUMEXT)) {
+        throw new moodle_exception('invalidrequest', 'core_error', '', null, $key);
+    }
+    if (is_array($value)) {
+        throw new moodle_exception('invalidrequest', 'core_error', '', null, 'Unexpected array param: '.$key);
+    }
     $req .= "&$key=".urlencode($value);
     $data->$key = fix_utf8($value);
 }
 
+if (empty($data->custom)) {
+    throw new moodle_exception('invalidrequest', 'core_error', '', null, 'Missing request param: custom');
+}
+
 $custom = explode('-', $data->custom);
+unset($data->custom);
+
+if (empty($custom) || count($custom) < 3) {
+    throw new moodle_exception('invalidrequest', 'core_error', '', null, 'Invalid value of the request param: custom');
+}
+
 $data->userid           = (int)$custom[0];
 $data->courseid         = (int)$custom[1];
 $data->instanceid       = (int)$custom[2];