From ea1ac3c7efbddbdb210ea4c75e7156c7d7ee914b Mon Sep 17 00:00:00 2001
From: Damyon Wiese <damyon@moodle.com>
Date: Fri, 17 May 2019 13:41:45 +0800
Subject: [PATCH] MDL-53689 xmldb: Require a sesskey to load xml

Loading and unloading xml files is not protected from XSS with a sesskey.
---
 .../tool/xmldb/actions/load_xml_file/load_xml_file.class.php  | 3 ---
 admin/tool/xmldb/actions/main_view/main_view.class.php        | 4 ++--
 .../xmldb/actions/unload_xml_file/unload_xml_file.class.php   | 3 ---
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/admin/tool/xmldb/actions/load_xml_file/load_xml_file.class.php b/admin/tool/xmldb/actions/load_xml_file/load_xml_file.class.php
index a6384153941..3a7b01d59be 100644
--- a/admin/tool/xmldb/actions/load_xml_file/load_xml_file.class.php
+++ b/admin/tool/xmldb/actions/load_xml_file/load_xml_file.class.php
@@ -38,9 +38,6 @@ class load_xml_file extends XMLDBAction {
         $this->can_subaction = ACTION_NONE;
         //$this->can_subaction = ACTION_HAVE_SUBACTIONS;
 
-        // Set own custom attributes
-        $this->sesskey_protected = false; // This action doesn't need sesskey protection
-
         // Get needed strings
         $this->loadStrings(array(
             // 'key' => 'module',
diff --git a/admin/tool/xmldb/actions/main_view/main_view.class.php b/admin/tool/xmldb/actions/main_view/main_view.class.php
index 5ac58fc4577..feef78ae00f 100644
--- a/admin/tool/xmldb/actions/main_view/main_view.class.php
+++ b/admin/tool/xmldb/actions/main_view/main_view.class.php
@@ -169,7 +169,7 @@ class main_view extends XMLDBAction {
                     file_exists($key . '/install.xml') &&
                     is_readable($key . '/install.xml') &&
                     empty($dbdir->xml_loaded)) {
-                    $b .= '<a href="index.php?action=load_xml_file&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['load'] . ']</a>';
+                    $b .= '<a href="index.php?action=load_xml_file&amp;sesskey=' . sesskey() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['load'] . ']</a>';
                 } else {
                     $b .= '[' . $this->str['load'] . ']';
                 }
@@ -239,7 +239,7 @@ class main_view extends XMLDBAction {
                     is_readable($key . '/install.xml') &&
                     !empty($dbdir->xml_loaded) &&
                     empty($dbdir->xml_changed)) {
-                    $b .= '<a href="index.php?action=unload_xml_file&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['unload'] . ']</a>';
+                    $b .= '<a href="index.php?action=unload_xml_file&amp;sesskey=' . sesskey() . '&amp;dir=' . urlencode(str_replace($CFG->dirroot, '', $key)) . '&amp;time=' . time() . '&amp;postaction=main_view#lastused">[' . $this->str['unload'] . ']</a>';
                 } else {
                     $b .= '[' . $this->str['unload'] . ']';
                 }
diff --git a/admin/tool/xmldb/actions/unload_xml_file/unload_xml_file.class.php b/admin/tool/xmldb/actions/unload_xml_file/unload_xml_file.class.php
index 0468cb2ca5d..78b2cab6d6e 100644
--- a/admin/tool/xmldb/actions/unload_xml_file/unload_xml_file.class.php
+++ b/admin/tool/xmldb/actions/unload_xml_file/unload_xml_file.class.php
@@ -35,9 +35,6 @@ class unload_xml_file extends XMLDBAction {
     function init() {
         parent::init();
 
-        // Set own custom attributes
-        $this->sesskey_protected = false; // This action doesn't need sesskey protection
-
         // Get needed strings
         $this->loadStrings(array(
             // 'key' => 'module',