mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-19 15:10:05 +01:00
Code Issues Projects Releases Wiki Activity

MDL-53689 xmldb: Require a sesskey to load xml

Browse Source 
Loading and unloading xml files is not protected from XSS with a sesskey.
This commit is contained in:
Damyon Wiese 2019-05-17 13:41:45 +08:00 committed by Jenkins
parent af1fce5cb9
commit ea1ac3c7ef
3 changed files with 2 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
admin/tool/xmldb/actions/load_xml_file/load_xml_file.class.php
View File

@ -38,9 +38,6 @@ class load_xml_file extends XMLDBAction {
$this->can_subaction = ACTION_NONE;
//$this->can_subaction = ACTION_HAVE_SUBACTIONS;
// Set own custom attributes
$this->sesskey_protected = false; // This action doesn't need sesskey protection
// Get needed strings
$this->loadStrings(array(
// 'key' => 'module',

4
admin/tool/xmldb/actions/main_view/main_view.class.php
View File

@ -169,7 +169,7 @@ class main_view extends XMLDBAction {
file_exists($key . '/install.xml') &&
is_readable($key . '/install.xml') &&
empty($dbdir->xml_loaded)) {
$b .= '<a href="index.php?action=load_xml_file&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['load'] . ']</a>';
$b .= '<a href="index.php?action=load_xml_file&amp;sesskey=' . sesskey() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['load'] . ']</a>';
} else {
$b .= '[' . $this->str['load'] . ']';
}
@ -239,7 +239,7 @@ class main_view extends XMLDBAction {
is_readable($key . '/install.xml') &&
!empty($dbdir->xml_loaded) &&
empty($dbdir->xml_changed)) {
$b .= '<a href="index.php?action=unload_xml_file&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['unload'] . ']</a>';
$b .= '<a href="index.php?action=unload_xml_file&amp;sesskey=' . sesskey() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['unload'] . ']</a>';
} else {
$b .= '[' . $this->str['unload'] . ']';
}

3
admin/tool/xmldb/actions/unload_xml_file/unload_xml_file.class.php
View File

@ -35,9 +35,6 @@ class unload_xml_file extends XMLDBAction {
function init() {
parent::init();
// Set own custom attributes
$this->sesskey_protected = false; // This action doesn't need sesskey protection
// Get needed strings
$this->loadStrings(array(
// 'key' => 'module',