Moodle
  1. Moodle
  2. MDL-32545

If the LTI Launch URL contains an &, it doesn't get signed properly in the launch

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.2, 2.2.1, 2.2.2
    • Fix Version/s: None
    • Labels:
      None
    • Rank:
      39451

      Description

      LTI stores the launch URL with htmlspecialchars, which converts & to &. When launching, the URL is not htmlspecialchars_decode'd, so the parameter gets included with amp; prepended.

      This causes the OAuth signature to not match on the tool provider when launched, which causes the launch to fail with an invalid signature.

        Activity

        Hide
        Chris Scribner added a comment -
        Show
        Chris Scribner added a comment - Fix is here: https://github.com/scriby/moodle/tree/MDL-32545
        Hide
        Chris Scribner added a comment -

        Dan, can you take a look at this one too?

        Show
        Chris Scribner added a comment - Dan, can you take a look at this one too?
        Hide
        Dan Poltawski added a comment -

        Yep!

        Show
        Dan Poltawski added a comment - Yep!
        Hide
        Dan Poltawski added a comment -

        Hi Chris,

        Sorry for my slow review.

        Looks fine. You could use moodle_url() to do the decoding (which would be the more standard moodle approach).

        If you could create testing instructions I will submit this for integration.

        Show
        Dan Poltawski added a comment - Hi Chris, Sorry for my slow review. Looks fine. You could use moodle_url() to do the decoding (which would be the more standard moodle approach). If you could create testing instructions I will submit this for integration.
        Hide
        Chris Scribner added a comment -

        Testing instructions:

        Set up http://www.imsglobal.org/developers/LTI/test/v1p1/tool.php?test=1&testing=2 as an external tool in a course (key: 12345, secret: secret).

        If you can launch the tool and don't see any errors, then it's working correctly.

        Show
        Chris Scribner added a comment - Testing instructions: Set up http://www.imsglobal.org/developers/LTI/test/v1p1/tool.php?test=1&testing=2 as an external tool in a course (key: 12345, secret: secret). If you can launch the tool and don't see any errors, then it's working correctly.
        Hide
        Michael de Raadt added a comment -

        Thanks for reporting this issue.

        We have detected that this issue has been inactive for over a year. It was reported as affecting versions that are no longer supported.

        If you believe that this issue is still relevant to current versions (2.5 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

        Michael d.

        TW9vZGxlDQo=

        Show
        Michael de Raadt added a comment - Thanks for reporting this issue. We have detected that this issue has been inactive for over a year. It was reported as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.5 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d. TW9vZGxlDQo=
        Hide
        Michael de Raadt added a comment -

        I'm closing this issue as it has been inactive for over a year has been recorded as affecting versions that are no longer supported.

        This is being done as part of a bulk annual clean-up of issues.

        If you still believe this is an issue in supported versions, please create a new issue.

        Show
        Michael de Raadt added a comment - I'm closing this issue as it has been inactive for over a year has been recorded as affecting versions that are no longer supported. This is being done as part of a bulk annual clean-up of issues. If you still believe this is an issue in supported versions, please create a new issue.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: