Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77320

License manager leaks sesskey when creating new license

    XMLWordPrintable

Details

    • MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
    • MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
    • MDL-77320-401
    • MDL-77320-402
    • Hide
      1. Log in as admin
      2. Navgate to License > License manager in site administration
      3. Confirm sesskey is not present in URL
      4. Press Create license
      5. Confirm sesskey is not present in URL
      6. Fill in form and save
      7. Press Edit button for your new license
      8. Confirm sesskey is not present in URL
      9. Edit form and save
      10. Press Move up/down icon for your new license
      11. Confirm licence ordering is updated as appopriate
      12. Press Disable icon for your new license
      13. Confirm license is disabled
      14. Press Enable icon for your new license
      15. Confirm license is enabled
      16. Press Delete icon for your new license
      17. Confirm you do want to delete the license in dialog
      18. Confirm license is deleted
      19. Copy the Disable link for an existing license, it'll look like:

        <WWWROOT>/admin/tool/licensemanager/index.php?action=disable&license=cc-nd&sesskey=NHCGiDsbFq
        

      20. Remove the &sesskey= portion of the URL and navigate to the new URL
      21. Confirm you see an error about required sesskey
      22. Go back to list of licenses
      23. Disable a license
      24. Copy the Enable link for the disabled license, it'll look like:

        <WWWROOT>/admin/tool/licensemanager/index.php?action=enable&license=cc-nc&sesskey=NHCGiDsbFq
        

      25. Remove the &sesskey= portion of the URL and navigate to the new URL
      26. Confirm you see an error about required sesskey
      27. Go back to list of licenses
      28. Copy the Move up link for an existing license, it'll look like:

        <WWWROOT>/admin/tool/licensemanager/index.php?action=moveup&license=cc-nc&sesskey=NHCGiDsbFq
        

      29. Remove the &sesskey= portion of the URL and navigate to the new URL
      30. Confirm you see an error about required sesskey
      31. Go back to list of licenses
      32. Copy the Move down link for an existing license, it'll look like:

        <WWWROOT>/admin/tool/licensemanager/index.php?action=movedown&license=cc-nc&sesskey=NHCGiDsbFq
        

      33. Remove the &sesskey= portion of the URL and navigate to the new URL
      34. Confirm you see an error about required sesskey
      Show
      Log in as admin Navgate to License > License manager in site administration Confirm sesskey is not present in URL Press Create license Confirm sesskey is not present in URL Fill in form and save Press Edit button for your new license Confirm sesskey is not present in URL Edit form and save Press Move up/down icon for your new license Confirm licence ordering is updated as appopriate Press Disable icon for your new license Confirm license is disabled Press Enable icon for your new license Confirm license is enabled Press Delete icon for your new license Confirm you do want to delete the license in dialog Confirm license is deleted Copy the Disable link for an existing license, it'll look like: <WWWROOT>/admin/tool/licensemanager/index.php?action=disable&license=cc-nd&sesskey=NHCGiDsbFq Remove the &sesskey= portion of the URL and navigate to the new URL Confirm you see an error about required sesskey Go back to list of licenses Disable a license Copy the Enable link for the disabled license, it'll look like: <WWWROOT>/admin/tool/licensemanager/index.php?action=enable&license=cc-nc&sesskey=NHCGiDsbFq Remove the &sesskey= portion of the URL and navigate to the new URL Confirm you see an error about required sesskey Go back to list of licenses Copy the Move up link for an existing license, it'll look like: <WWWROOT>/admin/tool/licensemanager/index.php?action=moveup&license=cc-nc&sesskey=NHCGiDsbFq Remove the &sesskey= portion of the URL and navigate to the new URL Confirm you see an error about required sesskey Go back to list of licenses Copy the Move down link for an existing license, it'll look like: <WWWROOT>/admin/tool/licensemanager/index.php?action=movedown&license=cc-nc&sesskey=NHCGiDsbFq Remove the &sesskey= portion of the URL and navigate to the new URL Confirm you see an error about required sesskey

    Description

      Discovered while integrating MDL-77269

      Pressing "Create license" leads to the following URL:

      http://integration.internal/master/admin/tool/licensemanager/index.php?action=create&sesskey=oFQT7f1XzY
      

      The &sesskey= parameter just to display the form is redundant

      Attachments

        Issue Links

          Activity

            People

              pholden Paul Holden
              pholden Paul Holden
              Stevani Andolo Stevani Andolo
              Ilya Tregubov Ilya Tregubov
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 30 minutes
                  1h 30m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.