MDL-33501 - oauth2lib: enforce sesskey in oauth2callback.php

The sesskey needs to be embeded in the local url returned as this is the only parameter we have control of.
2025-08-03 16:13:28 +02:00 · 2012-06-04 11:11:38 +08:00 · 2012-06-04 11:11:38 +08:00 · 5df1b73748
commit 5df1b73748
parent db7602af7c
3 changed files with 17 additions and 5 deletions
--- a/admin/oauth2callback.php
+++ b/admin/oauth2callback.php
@ -35,4 +35,12 @@ $code = required_param('code', PARAM_RAW);
 // The state parameter we've given (used in moodle as a redirect url).
 $state = required_param('state', PARAM_LOCALURL);
-redirect(new moodle_url($state, array('code' => $code)));
+$redirecturl = new moodle_url($state);
 $params = $redirecturl->params();
 if (isset($params['sesskey']) and confirm_sesskey($params['sesskey'])) {
    $redirecturl->param('code', $code);
    redirect($redirecturl);
 } else {
    print_error('invalidsesskey');
 }
--- a/repository/googledocs/lib.php
+++ b/repository/googledocs/lib.php
@ -39,8 +39,10 @@ class repository_googledocs extends repository {
    public function __construct($repositoryid, $context = SYSCONTEXTID, $options = array()) {
        parent::__construct($repositoryid, $context, $options);
-        $returnurl = new moodle_url('/repository/repository_callback.php',
+        $returnurl = new moodle_url('/repository/repository_callback.php');
-            array('callback' => 'yes', 'repo_id' =>$this->id));
+        $returnurl->param('callback', 'yes');
        $returnurl->param('repo_id', $this->id);
        $returnurl->param('sesskey', sesskey());
        $clientid = get_config('googledocs', 'clientid');
        $secret = get_config('googledocs', 'secret');
--- a/repository/picasa/lib.php
+++ b/repository/picasa/lib.php
@ -41,8 +41,10 @@ class repository_picasa extends repository {
    public function __construct($repositoryid, $context = SYSCONTEXTID, $options = array()) {
        parent::__construct($repositoryid, $context, $options);
-        $returnurl = new moodle_url('/repository/repository_callback.php',
+        $returnurl = new moodle_url('/repository/repository_callback.php');
-            array('callback' => 'yes', 'repo_id' =>$this->id));
+        $returnurl->param('callback', 'yes');
        $returnurl->param('repo_id', $this->id);
        $returnurl->param('sesskey', sesskey());
        $clientid = get_config('picasa', 'clientid');
        $secret = get_config('picasa', 'secret');