MDL-66377 user: Only allow active users to retrieve files via tokenpluginfile.php

author Juan Leyva <juanleyvadelgado@gmail.com>

Fri, 16 Aug 2019 13:01:38 +0000 (14:01 +0100)

committer Jenkins <jenkins@worker07.test.in.moodle.com>

Tue, 5 Nov 2019 12:44:37 +0000 (13:44 +0100)
author Juan Leyva <juanleyvadelgado@gmail.com>
Fri, 16 Aug 2019 13:01:38 +0000 (14:01 +0100)
committer Jenkins <jenkins@worker07.test.in.moodle.com>
Tue, 5 Nov 2019 12:44:37 +0000 (13:44 +0100)
diff --git a/lib/moodlelib.php b/lib/moodlelib.php

index b8489f5..d10f31d 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -3258,6 +3258,8 @@ function require_user_key_login($script, $instance = null, $keyvalue = null) {
          print_error('invaliduserid');
      }
  
+    core_user::require_active_user($user, true, true);
+
      // Emulate normal session.
      enrol_check_plugins($user);
      \core\session\manager::set_user($user);
diff --git a/tokenpluginfile.php b/tokenpluginfile.php

index 156d412..22449ad 100644 (file)
--- a/tokenpluginfile.php
+++ b/tokenpluginfile.php
@@ -37,6 +37,7 @@ if (0 == strpos($relativepath, '/token/')) {
      $relativepath = ltrim($relativepath, '/');
      $pathparts = explode('/', $relativepath, 2);
      $token = $pathparts[0];
+    $token = clean_param($token, PARAM_ALPHANUM);
      $relativepath = "/{$pathparts[1]}";
  }
author	Juan Leyva <juanleyvadelgado@gmail.com>
	Fri, 16 Aug 2019 13:01:38 +0000 (14:01 +0100)
committer	Jenkins <jenkins@worker07.test.in.moodle.com>
	Tue, 5 Nov 2019 12:44:37 +0000 (13:44 +0100)
lib/moodlelib.php		patch \| blob \| blame \| history
tokenpluginfile.php		patch \| blob \| blame \| history