LTI 1.1 uses OAuth 1.0, which requires 'hostname', among other things,
as part of signature verification. When Moodle is run behind a reverse
proxy, $_SERVER['SERVER_NAME'] is an unreliable way to fetch hostname.
It isn't always equal to the external hostname but instead can contain
the local host, meaning the signature verification will fail. This
change replaces the use of $_SERVER vars with $FULLME - which already
takes this into account - to fix the signature verification.
Co-authored-by: Berengar W. Lehr <Berengar.Lehr@uni-jena.de>
This fixes an exploit where you could alter the 'Content-Type' of the
request and bypass the case-sensitive check 'strstr'. For example,
setting it to 'application/x-www-FORM-urlencoded'. However, changing
this to use 'stristr' was also not an acceptable approach as you
could also bypass it by setting the value to 'multipart/form-data'.
* Define consumer profile member variable for ToolConsumer class
* Added context type property for Context class
* Set context type if 'context_type' parameter was submitted through POST
This commit can be dropped once the pull requests for these changes have
been integrated upstream.
