From 2a42e0078aeb3918d94ccb099a9b084e3c27c10a Mon Sep 17 00:00:00 2001 From: Dan Poltawski Date: Thu, 3 Jul 2014 14:30:36 +0100 Subject: [PATCH 1/1] MDL-44605 calendar: improved returnurl validation Now we will only redirect to a local url (though sesskey was already preventing this redirect from being open) --- calendar/lib.php | 2 +- calendar/set.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/calendar/lib.php b/calendar/lib.php index ed35b6b..c3304fa 100644 --- a/calendar/lib.php +++ b/calendar/lib.php @@ -1018,7 +1018,7 @@ function calendar_filter_controls(moodle_url $returnurl) { $groupevents = true; $id = optional_param( 'id',0,PARAM_INT ); - $seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out(false)), 'sesskey'=>sesskey())); + $seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out_as_local_url(false)), 'sesskey'=>sesskey())); $content = html_writer::start_tag('ul'); $seturl->param('var', 'showglobal'); diff --git a/calendar/set.php b/calendar/set.php index 255027e..345f9e7 100644 --- a/calendar/set.php +++ b/calendar/set.php @@ -44,14 +44,14 @@ require_once($CFG->dirroot.'/calendar/lib.php'); require_sesskey(); $var = required_param('var', PARAM_ALPHA); -$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_URL); +$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_LOCALURL); $courseid = optional_param('id', -1, PARAM_INT); if ($courseid != -1) { $return = new moodle_url($return, array('course' => $courseid)); } else { $return = new moodle_url($return); } -$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey())); +$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out_as_local_url(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey())); $PAGE->set_url($url); $PAGE->set_context(context_system::instance()); -- 1.9.2