From f5587cf8818ebc4fce701460f9e34a1724566123 Mon Sep 17 00:00:00 2001 From: Jake Dallimore Date: Wed, 10 Apr 2024 17:38:27 +0800 Subject: [PATCH] MDL-81491 enrol_lti: fix incorrect login_hint parameter type validation This was always bad, but since we only used it to verify the existence of the param, and let library code take $_REQUEST for the real validation, it was ok. Now, since we're redirecting to self during necessary cookie checks added by MDL-80835, we lose the real value originally stored in $_REQUEST. This patch just fixes the param type, setting it to raw, which is what it should have used originally. The raw value won't be cast from a string to an int as part of the require_param call, so the value won't be lost any more. --- enrol/lti/login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enrol/lti/login.php b/enrol/lti/login.php index 33b168bd436..2cc2264fc3d 100644 --- a/enrol/lti/login.php +++ b/enrol/lti/login.php @@ -40,7 +40,7 @@ require_once(__DIR__."/../../config.php"); // See http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login. // Validate these here, despite further validation in the LTI 1.3 library. $iss = required_param('iss', PARAM_URL); // Issuer URI of the calling platform. -$loginhint = required_param('login_hint', PARAM_INT); // Platform ID for the person to login. +$loginhint = required_param('login_hint', PARAM_RAW); // Platform ID for the person to login. $targetlinkuri = required_param('target_link_uri', PARAM_URL); // The took launch URL. // Optional lti_message_hint. See https://www.imsglobal.org/spec/lti/v1p3#additional-login-parameters-0.