MDL-44605 calendar: improved returnurl validation
authorDan Poltawski <dan@moodle.com>
Thu, 3 Jul 2014 13:30:36 +0000 (14:30 +0100)
committerEloy Lafuente (stronk7) <stronk7@moodle.org>
Tue, 8 Jul 2014 23:05:51 +0000 (01:05 +0200)
Now we will only redirect to a local url (though sesskey was
already preventing this redirect from being open)

calendar/lib.php
calendar/set.php

index ed35b6b..c3304fa 100644 (file)
@@ -1018,7 +1018,7 @@ function calendar_filter_controls(moodle_url $returnurl) {
 
     $groupevents = true;
     $id = optional_param( 'id',0,PARAM_INT );
-    $seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out(false)), 'sesskey'=>sesskey()));
+    $seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out_as_local_url(false)), 'sesskey'=>sesskey()));
     $content = html_writer::start_tag('ul');
 
     $seturl->param('var', 'showglobal');
index 255027e..345f9e7 100644 (file)
@@ -44,14 +44,14 @@ require_once($CFG->dirroot.'/calendar/lib.php');
 require_sesskey();
 
 $var = required_param('var', PARAM_ALPHA);
-$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_URL);
+$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_LOCALURL);
 $courseid = optional_param('id', -1, PARAM_INT);
 if ($courseid != -1) {
     $return = new moodle_url($return, array('course' => $courseid));
 } else {
     $return = new moodle_url($return);
 }
-$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey()));
+$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out_as_local_url(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey()));
 $PAGE->set_url($url);
 $PAGE->set_context(context_system::instance());