Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69807

Editing a block exposes the CSRF token (sesskey) in the url

XMLWordPrintable

    • MOODLE_39_STABLE
    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • Hide
      1. Login as admin
      2. Create a course
      3. Turn editing on
      4. Add a HTML block
      5. From the HTML block, click Actions menu > Configure (new HTML block) block
      6. Confirm there is no "&sesskey=...." parameter present in the URL
      7. Add some content and press Save changes
      8. Confirm HTML block content has been updated on the course page
      9. From the HTML block, click Actions menu > Delete (new HTML block) block
      10. Confirm there is no "&sesskey=...." parameter present in the URL

       

      Show
      Login as admin Create a course Turn editing on Add a HTML block From the HTML block, click Actions menu > Configure (new HTML block) block Confirm there is no "&sesskey=...." parameter present in the URL Add some content and press Save changes Confirm HTML block content has been updated on the course page From the HTML block, click Actions menu > Delete (new HTML block) block Confirm there is no "&sesskey=...." parameter present in the URL  

      Just another sesskey which is not needed in the original get, only on the subsequent posts when saving the form.

       

            pholden Paul Holden
            brendanheywood Brendan Heywood
            Brendan Heywood Brendan Heywood
            Adrian Greeve Adrian Greeve
            Janelle Barcega Janelle Barcega
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 50 minutes
                1h 50m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.