[MDL-69807] Editing a block exposes the CSRF token (sesskey) in the url - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.9.2
Fix Version/s: 3.8.6, 3.9.3
Component/s: Blocks
Labels:
- CatalystIT
- ci
- partner
- release_notes
- security_benefit
- triaged

Affected Branches:
MOODLE_39_STABLE
Fixed Branches:
MOODLE_38_STABLE, MOODLE_39_STABLE
Pull from Repository:
https://github.com/paulholden/moodle.git
Pull 3.9 Branch:
~~MDL-69807~~-39
Pull 3.9 Diff URL:
https://github.com/moodle/moodle/compare/MOODLE_39_STABLE...paulholden:MDL-69807-39
Pull Main Branch:
~~MDL-69807~~
Pull Main Diff URL:
https://github.com/moodle/moodle/compare/master...paulholden:MDL-69807
Testing Instructions:
Hide

Login as admin

Create a course

Turn editing on

Add a HTML block

From the HTML block, click Actions menu > Configure (new HTML block) block

Confirm there is no "&sesskey=...." parameter present in the URL

Add some content and press Save changes

Confirm HTML block content has been updated on the course page

From the HTML block, click Actions menu > Delete (new HTML block) block

Confirm there is no "&sesskey=...." parameter present in the URL
Show
Login as admin Create a course Turn editing on Add a HTML block From the HTML block, click Actions menu > Configure (new HTML block) block Confirm there is no "&sesskey=...." parameter present in the URL Add some content and press Save changes Confirm HTML block content has been updated on the course page From the HTML block, click Actions menu > Delete (new HTML block) block Confirm there is no "&sesskey=...." parameter present in the URL

Description

Just another sesskey which is not needed in the original get, only on the subsequent posts when saving the form.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2020-10-19-17-18-23-453.png
16 kB
19/Oct/20 2:18 PM
image-2020-10-21-15-03-48-262.png
66 kB
21/Oct/20 3:03 PM

Issue Links

caused a regression

MDL-72599 Cannot configure or delete blocks added to admin/index.php

Closed

will help resolve

MDL-40715 Problem with changing language while editing block

Closed

Activity

People

Assignee:: Paul Holden

Reporter:: Brendan Heywood

Peer reviewer:: Brendan Heywood

Integrator:: Adrian Greeve

Tester:: Janelle Barcega

Participants:: Adrian Greeve, Brendan Heywood, CiBoT, Janelle Barcega, Paul Holden

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 28/Sep/20 8:26 AM

Updated:: 17/Sep/21 7:19 PM

Resolved:: 23/Oct/20 9:05 PM

Fix Release Date:: 9/Nov/20

Time Tracking

Estimated:

0m

Remaining:

0m

Logged:

1h 50m