MDL-66377 user: Only allow active users to retrieve files via tokenpluginfile.php
authorJuan Leyva <juanleyvadelgado@gmail.com>
Fri, 16 Aug 2019 13:01:38 +0000 (14:01 +0100)
committerJenkins <jenkins@worker07.test.in.moodle.com>
Tue, 5 Nov 2019 12:44:37 +0000 (13:44 +0100)
lib/moodlelib.php
tokenpluginfile.php

index b8489f5..d10f31d 100644 (file)
@@ -3258,6 +3258,8 @@ function require_user_key_login($script, $instance = null, $keyvalue = null) {
         print_error('invaliduserid');
     }
 
+    core_user::require_active_user($user, true, true);
+
     // Emulate normal session.
     enrol_check_plugins($user);
     \core\session\manager::set_user($user);
index 156d412..22449ad 100644 (file)
@@ -37,6 +37,7 @@ if (0 == strpos($relativepath, '/token/')) {
     $relativepath = ltrim($relativepath, '/');
     $pathparts = explode('/', $relativepath, 2);
     $token = $pathparts[0];
+    $token = clean_param($token, PARAM_ALPHANUM);
     $relativepath = "/{$pathparts[1]}";
 }