From e4a97a7a0103b3fd5af1b1205d53082d9ede7531 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Mudr=C3=A1k?= <david@moodle.com>
Date: Thu, 15 Nov 2018 20:35:46 +0100
Subject: [PATCH] MDL-63994 login: Improve the logintoken param input

The logintoken is supposed to arrive as a part of the login form ($frm)
together with the username and password. So it should be handled the
same way - including the opportunity for the auth plugins to provide the
form data via the loginpage_hook().

This also implies that only logintoken coming as a part of the POST
request are taken into account, which is a good thing and another thin
layer in this security mechanism.
---
 login/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/login/index.php b/login/index.php
index 335a65e42d1..a04970acfff 100644
--- a/login/index.php
+++ b/login/index.php
@@ -31,7 +31,6 @@ redirect_if_major_upgrade_required();
 
 $testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
 $anchor      = optional_param('anchor', '', PARAM_RAW);      // Used to restore hash anchor to wantsurl.
-$logintoken  = optional_param('logintoken', '', PARAM_RAW);       // Used to validate the request.
 
 $resendconfirmemail = optional_param('resendconfirmemail', false, PARAM_BOOL);
 
@@ -140,6 +139,7 @@ if ($frm and isset($frm->username)) {                             // Login WITH
         $frm = false;
     } else {
         if (empty($errormsg)) {
+            $logintoken = isset($frm->logintoken) ? $frm->logintoken : '';
             $user = authenticate_user_login($frm->username, $frm->password, false, $errorcode, $logintoken);
         }
     }