From 3f04dbee09e38fcdfe8efcf7e1ea65f2ed3ec978 Mon Sep 17 00:00:00 2001 From: Brendan Heywood Date: Thu, 24 Sep 2020 17:01:31 +1000 Subject: [PATCH] MDL-68292 core: Remove sesskey leakage on module pages --- admin/modules.php | 6 ++++-- admin/plugins.php | 2 +- lib/classes/plugininfo/base.php | 1 - 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/admin/modules.php b/admin/modules.php index 01f67a11666..e76a8e11a3c 100644 --- a/admin/modules.php +++ b/admin/modules.php @@ -49,6 +49,7 @@ array($module->id)); core_plugin_manager::reset_caches(); admin_get_root(true, false); // settings not required - only pages + redirect(new moodle_url('/admin/modules.php')); } if (!empty($show) and confirm_sesskey()) { @@ -66,6 +67,7 @@ array($module->id)); core_plugin_manager::reset_caches(); admin_get_root(true, false); // settings not required - only pages + redirect(new moodle_url('/admin/modules.php')); } echo $OUTPUT->header(); @@ -121,8 +123,8 @@ $count = -1; } if ($count>0) { - $countlink = "wwwroot}/course/search.php?modulelist=$module->name" . - "&sesskey=".sesskey()."\" title=\"$strshowmodulecourse\">$count"; + $countlink = $OUTPUT->action_link(new moodle_url('/course/search.php', ['modulelist' => $module->name]), + $count, null, ['title' => $strshowmodulecourse]); } else if ($count < 0) { $countlink = get_string('error'); } else { diff --git a/admin/plugins.php b/admin/plugins.php index c99ae525e30..e4867c1acb8 100644 --- a/admin/plugins.php +++ b/admin/plugins.php @@ -53,7 +53,6 @@ $pageurl = new moodle_url('/admin/plugins.php', $pageparams); $pluginman = core_plugin_manager::instance(); if ($uninstall) { - require_sesskey(); if (!$confirmed) { admin_externalpage_setup('pluginsoverview', '', $pageparams); @@ -92,6 +91,7 @@ if ($uninstall) { exit(); } else { + require_sesskey(); $SESSION->pluginuninstallreturn = $pluginfo->get_return_url_after_uninstall($return); $progress = new progress_trace_buffer(new text_progress_trace(), false); $pluginman->uninstall_plugin($pluginfo->component, $progress); diff --git a/lib/classes/plugininfo/base.php b/lib/classes/plugininfo/base.php index 75d980f35ef..486baee309f 100644 --- a/lib/classes/plugininfo/base.php +++ b/lib/classes/plugininfo/base.php @@ -621,7 +621,6 @@ abstract class base { */ public final function get_default_uninstall_url($return = 'overview') { return new moodle_url('/admin/plugins.php', array( - 'sesskey' => sesskey(), 'uninstall' => $this->component, 'confirm' => 0, 'return' => $return, -- 2.43.0