Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-81596

mod/lti/return.php takes instanceid but doesn't check if it belongs to the courseid passed

XMLWordPrintable

    • MOODLE_401_STABLE, MOODLE_402_STABLE

      require_login($course) is called, but the instanceid passed isn't checked to see if it's actually part of the course being passed.
      here:
      https://github.com/moodle/moodle/blob/master/mod/lti/return.php#L44

      I'm pretty sure $lti->course should actually be $course->id

      jaked - am I missing something there?

      I don't think there's a security issue there in the current code, but it's a security check that is missing... I've added could be a sec issue, but I suspect we can remove that flag after someone else (Jake?) verifies that....

            Unassigned Unassigned
            danmarsden Dan Marsden
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.