-
Bug
-
Resolution: Fixed
-
Minor
-
3.11.4
-
MOODLE_311_STABLE
-
MOODLE_311_STABLE
-
MDL-73427-master -
- Check that $SESSION->fromurl is not modified anywhere in the moodle codebase
Error logs:
PHP message: Script /lib/ajax/getnavbranch.php?id=xxx&type=xx defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->fromurl"
Likely root cause is either this:
This exception handling stores stuff in the session:
https://github.com/moodle/moodle/blob/master/lib/setuplib.php#L590-L596
Or this one:
https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L2728-L2731
There is a grand total of 4 touch points in core around this and honestly I can't see much point to any of it. In all cases the value in $SESSION->fromurl will be the same as get_local_referer from the referrer header, so I don't see any value in storing it in the session and it's just more session churn which will mean it is forced to be rewritten each time for no reason (see MDL-69707). In any case relying on the referrer header for anything important is bad, eg under some csp setups there is never a referrer header sent.
lib/setuplib.php-589- |
lib/setuplib.php-590- if (empty($link)) { |
lib/setuplib.php:591: if (!empty($SESSION->fromurl)) { |
lib/setuplib.php:592: $link = $SESSION->fromurl; |
lib/setuplib.php:593: unset($SESSION->fromurl); |
lib/setuplib.php-594- } else { |
lib/setuplib.php-595- $link = $CFG->wwwroot .'/'; |
--
|
lib/moodlelib.php-2728- $referer = get_local_referer(false); |
lib/moodlelib.php-2729- if (!empty($referer)) { |
lib/moodlelib.php:2730: $SESSION->fromurl = $referer; |
lib/moodlelib.php-2731- } |
lib/moodlelib.php-2732- |
--
|
mod/forum/post.php-161- } |
mod/forum/post.php-162- |
mod/forum/post.php:163: $SESSION->fromurl = get_local_referer(false); |
mod/forum/post.php-164- |
mod/forum/post.php-165- // Load up the $post variable. |
--
|
mod/forum/post.php-787-} else if ($mformpost->is_submitted() && !$mformpost->no_submit_button_pressed() && $fromform = $mformpost->get_data()) { |
mod/forum/post.php-788- |
mod/forum/post.php:789: if (empty($SESSION->fromurl)) { |
mod/forum/post.php-790- $errordestination = $urlfactory->get_forum_view_url_from_forum($forumentity); |
mod/forum/post.php-791- } else { |
mod/forum/post.php:792: $errordestination = $SESSION->fromurl; |
mod/forum/post.php-793- } |
mod/forum/post.php-794- |