From f1f5f525c022751914cb53ab9f2dce427c52b93a Mon Sep 17 00:00:00 2001
From: Damyon Wiese <damyon@moodle.com>
Date: Tue, 28 Oct 2014 17:24:35 +0800
Subject: [PATCH] MDL-47926 LTI: Fix missing sesskey checks and add content
 type headers to redirect

---
 mod/lti/locallib.php           |  2 +-
 mod/lti/registration.php       |  1 +
 mod/lti/registrationreturn.php | 11 +++++++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/mod/lti/locallib.php b/mod/lti/locallib.php
index 08d3ca0..a03d5a4 100644
--- a/mod/lti/locallib.php
+++ b/mod/lti/locallib.php
@@ -275,7 +275,7 @@ function lti_register($toolproxy) {
     $requestparams['tc_profile_url'] = $profileservice->parse_value('$ToolConsumerProfile.url');
 
     // Add the return URL.
-    $returnurlparams = array('id' => $toolproxy->id);
+    $returnurlparams = array('id' => $toolproxy->id, 'sesskey'=>sesskey());
     $url = new \moodle_url('/mod/lti/registrationreturn.php', $returnurlparams);
     $returnurl = $url->out(false);
 
diff --git a/mod/lti/registration.php b/mod/lti/registration.php
index d1b5c7a..902dafc 100644
--- a/mod/lti/registration.php
+++ b/mod/lti/registration.php
@@ -32,6 +32,7 @@ $id = required_param('id', PARAM_INT); // Tool Proxy ID.
 $toolproxy = $DB->get_record('lti_tool_proxies', array('id' => $id), '*', MUST_EXIST);
 
 require_login(0, false);
+require_sesskey();
 
 $systemcontext = context_system::instance();
 require_capability('moodle/site:config', $systemcontext);
diff --git a/mod/lti/registrationreturn.php b/mod/lti/registrationreturn.php
index 3209a1c..184949b 100644
--- a/mod/lti/registrationreturn.php
+++ b/mod/lti/registrationreturn.php
@@ -27,11 +27,12 @@ require_once('../../config.php');
 require_once($CFG->dirroot.'/mod/lti/locallib.php');
 
 $top = optional_param('top', 0, PARAM_INT);
-$msg = optional_param('lti_msg', '', PARAM_RAW);
-$err = optional_param('lti_errormsg', '', PARAM_RAW);
+$msg = optional_param('lti_msg', '', PARAM_TEXT);
+$err = optional_param('lti_errormsg', '', PARAM_TEXT);
 $id = optional_param('id', 0, PARAM_INT);
 
 // No guest autologin.
+require_sesskey();
 require_login(0, false);
 
 $systemcontext = context_system::instance();
@@ -40,6 +41,7 @@ require_capability('moodle/site:config', $systemcontext);
 if (empty($top)) {
 
     $params = array();
+    $params['sesskey'] = sesskey();
     $params['top'] = '1';
     if (!empty($msg)) {
         $params['lti_msg'] = $msg;
@@ -57,6 +59,7 @@ if (empty($top)) {
     $html = <<< EOD
 <html>
 <head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <script type="text/javascript">
 //<![CDATA[
 top.location.href = '{$redirect}';
@@ -70,11 +73,15 @@ top.location.href = '{$redirect}';
 </body>
 </html>
 EOD;
+
+    // We always send the headers because they set the encoding.
+    send_headers('text/html; charset=utf-8', false);
     echo $html;
 
 } else if (!empty($msg) && !empty($err)) {
 
     $params = array();
+    $params['sesskey'] = sesskey();
     $params['top'] = '1';
     if (!empty($err)) {
         $params['lti_errormsg'] = $err;
-- 
1.8.3.2