moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 16:36:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-70668 auth: Fix secret validation during user confirmation

Browse source 
Co-authored-by: Michael Hawkins <michaelh@moodle.com>
This commit is contained in:
Sander Wind 2021-01-19 16:05:41 +08:00 committed by Jenkins
parent 5d6e97dabb
commit 3f9d4a08a5
4 changed files with 7 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

6
auth/email/auth.php
View file

@ -178,10 +178,10 @@ class auth_plugin_email extends auth_plugin_base {
if ($user->auth != $this->authtype) { if ($user->auth != $this->authtype) {
return AUTH_CONFIRM_ERROR; return AUTH_CONFIRM_ERROR;
} else if ($user->secret == $confirmsecret && $user->confirmed) { } else if ($user->secret === $confirmsecret && $user->confirmed) {
return AUTH_CONFIRM_ALREADY; return AUTH_CONFIRM_ALREADY;
} else if ($user->secret == $confirmsecret) { // They have provided the secret key to get in } else if ($user->secret === $confirmsecret) { // They have provided the secret key to get in
$DB->set_field("user", "confirmed", 1, array("id"=>$user->id)); $DB->set_field("user", "confirmed", 1, array("id"=>$user->id));
if ($wantsurl = get_user_preferences('auth_email_wantsurl', false, $user)) { if ($wantsurl = get_user_preferences('auth_email_wantsurl', false, $user)) {
@ -257,5 +257,3 @@ class auth_plugin_email extends auth_plugin_base {
} }
} }

4
auth/ldap/auth.php
View file

@ -598,10 +598,10 @@ class auth_plugin_ldap extends auth_plugin_base {
if ($user->auth != $this->authtype) { if ($user->auth != $this->authtype) {
return AUTH_CONFIRM_ERROR; return AUTH_CONFIRM_ERROR;
} else if ($user->secret == $confirmsecret && $user->confirmed) { } else if ($user->secret === $confirmsecret && $user->confirmed) {
return AUTH_CONFIRM_ALREADY; return AUTH_CONFIRM_ALREADY;
} else if ($user->secret == $confirmsecret) { // They have provided the secret key to get in } else if ($user->secret === $confirmsecret) { // They have provided the secret key to get in
if (!$this->user_activate($username)) { if (!$this->user_activate($username)) {
return AUTH_CONFIRM_FAIL; return AUTH_CONFIRM_FAIL;
} }

4
auth/oauth2/classes/auth.php
View file

@ -372,10 +372,10 @@ class auth extends \auth_plugin_base {
if ($user->auth != $this->authtype) { if ($user->auth != $this->authtype) {
return AUTH_CONFIRM_ERROR; return AUTH_CONFIRM_ERROR;
} else if ($user->secret == $confirmsecret && $user->confirmed) { } else if ($user->secret === $confirmsecret && $user->confirmed) {
return AUTH_CONFIRM_ALREADY; return AUTH_CONFIRM_ALREADY;
} else if ($user->secret == $confirmsecret) { // They have provided the secret key to get in. } else if ($user->secret === $confirmsecret) { // They have provided the secret key to get in.
$DB->set_field("user", "confirmed", 1, array("id" => $user->id)); $DB->set_field("user", "confirmed", 1, array("id" => $user->id));
return AUTH_CONFIRM_OK; return AUTH_CONFIRM_OK;
} }

2
lib/classes/user.php
View file

@ -710,7 +710,7 @@ class core_user {
$fields['lastlogin'] = array('type' => PARAM_INT, 'null' => NULL_NOT_ALLOWED); $fields['lastlogin'] = array('type' => PARAM_INT, 'null' => NULL_NOT_ALLOWED);
$fields['currentlogin'] = array('type' => PARAM_INT, 'null' => NULL_NOT_ALLOWED); $fields['currentlogin'] = array('type' => PARAM_INT, 'null' => NULL_NOT_ALLOWED);
$fields['lastip'] = array('type' => PARAM_NOTAGS, 'null' => NULL_NOT_ALLOWED); $fields['lastip'] = array('type' => PARAM_NOTAGS, 'null' => NULL_NOT_ALLOWED);
$fields['secret'] = array('type' => PARAM_RAW, 'null' => NULL_NOT_ALLOWED); $fields['secret'] = array('type' => PARAM_ALPHANUM, 'null' => NULL_NOT_ALLOWED);
$fields['picture'] = array('type' => PARAM_INT, 'null' => NULL_NOT_ALLOWED); $fields['picture'] = array('type' => PARAM_INT, 'null' => NULL_NOT_ALLOWED);
$fields['url'] = array('type' => PARAM_URL, 'null' => NULL_NOT_ALLOWED); $fields['url'] = array('type' => PARAM_URL, 'null' => NULL_NOT_ALLOWED);
$fields['description'] = array('type' => PARAM_RAW, 'null' => NULL_ALLOWED); $fields['description'] = array('type' => PARAM_RAW, 'null' => NULL_ALLOWED);