From 72bb6e1e6a458a5ffbc33098fc6dcceb4fbb66dc Mon Sep 17 00:00:00 2001 From: Dan Marsden Date: Thu, 4 Jul 2013 12:50:58 +1200 Subject: [PATCH] add sesskey check for taking attendance and do some cleaning on raw form vars --- locallib.php | 11 +++++++---- renderer.php | 2 +- take.php | 3 +-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/locallib.php b/locallib.php index 18b34be..c8a7070 100644 --- a/locallib.php +++ b/locallib.php @@ -826,7 +826,7 @@ class attendance { public function take_from_form_data($formdata) { global $DB, $USER; - + // TODO: WARNING - $formdata is unclean - comes from direct $_POST - ideally needs a rewrite but we do some cleaning below. $statuses = implode(',', array_keys( (array)$this->get_statuses() )); $now = time(); $sesslog = array(); @@ -834,11 +834,14 @@ class attendance { foreach ($formdata as $key => $value) { if (substr($key, 0, 4) == 'user') { $sid = substr($key, 4); + if (!(is_numeric($sid) && is_numeric($value))) { // Sanity check on $sid and $value. + print_error('nonnumericid', 'attendance'); + } $sesslog[$sid] = new stdClass(); - $sesslog[$sid]->studentid = $sid; - $sesslog[$sid]->statusid = $value; + $sesslog[$sid]->studentid = $sid; // We check is_numeric on this above. + $sesslog[$sid]->statusid = $value; // We check is_numeric on this above. $sesslog[$sid]->statusset = $statuses; - $sesslog[$sid]->remarks = array_key_exists('remarks'.$sid, $formdata) ? $formdata['remarks'.$sid] : ''; + $sesslog[$sid]->remarks = array_key_exists('remarks'.$sid, $formdata) ? clean_param($formdata['remarks'.$sid], PARAM_TEXT) : ''; $sesslog[$sid]->sessionid = $this->pageparams->sessionid; $sesslog[$sid]->timetaken = $now; $sesslog[$sid]->takenby = $USER->id; diff --git a/renderer.php b/renderer.php index 635ba55..da290ab 100644 --- a/renderer.php +++ b/renderer.php @@ -279,7 +279,7 @@ class mod_attendance_renderer extends plugin_renderer_base { } else { $table = $this->render_attendance_take_grid($takedata); } - $table .= html_writer::input_hidden_params($takedata->url()); + $table .= html_writer::input_hidden_params($takedata->url(array('sesskey' => sesskey()))); $params = array( 'type' => 'submit', 'value' => get_string('save', 'attendance')); diff --git a/take.php b/take.php index b539170..d7c7ac0 100644 --- a/take.php +++ b/take.php @@ -50,8 +50,7 @@ if (!$att->perm->can_take_session($pageparams->grouptype)) { $group = groups_get_group($pageparams->grouptype); throw new moodle_exception('cannottakeforgroup', 'attendance', '', $group->name); } - -if ($formdata = data_submitted()) { +if (($formdata = data_submitted()) && confirm_sesskey()) { $att->take_from_form_data($formdata); }