Mercurial Mercurial > openeclass / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Validate auth parameter to formuser.php 3.12
authorAlexandros Diamantidis <adia@noc.uoa.gr>
Mon, 22 Nov 2021 10:45:28 +0200
branch3.12
changeset 24996 e0ed11f5768d
parent 24995 0be91a3a709b
child 24997 f056cc9e3a96
Validate auth parameter to formuser.php
modules/auth/altnewuser.php file | annotate | diff | comparison | revisions
modules/auth/formuser.php file | annotate | diff | comparison | revisions 
--- a/modules/auth/altnewuser.php	Fri Nov 19 13:10:17 2021 +0200
+++ b/modules/auth/altnewuser.php	Mon Nov 22 10:45:28 2021 +0200
@@ -43,10 +43,10 @@
 if (isset($_REQUEST['auth'])) {
     $auth = intval($_REQUEST['auth']);
     $_SESSION['u_tmp'] = $auth;
-}
-if (!isset($_REQUEST['auth'])) {
+} elseif (isset($_SESSION['u_tmp'])) {
+    $auth = $_SESSION['u_tmp'];
+} else {
     $auth = 0;
-    $auth = $_SESSION['u_tmp'];
 }
 
 unset($_SESSION['was_validated']);
--- a/modules/auth/formuser.php	Fri Nov 19 13:10:17 2021 +0200
+++ b/modules/auth/formuser.php	Mon Nov 22 10:45:28 2021 +0200
@@ -127,11 +127,11 @@
 $user_data = $auth_id = $provider_name = $provider_id = null;
 
 // check if it's valid and the provider enabled in the db
-if (isset($_GET['auth']) and is_numeric($_GET['auth'])) {
-    $auth_id = $_GET['auth'];
-    $result = Database::get()->querySingle("SELECT auth_name, auth_default FROM auth WHERE auth_id = ?d", $auth_id);
-    if ($result and $result->auth_default and in_array($result->auth_name, $hybridAuthMethods)) {
+if (isset($_GET['auth'])) {
+    $result = Database::get()->querySingle("SELECT auth_id, auth_name, auth_default FROM auth WHERE auth_id = ?d", $_GET['auth']);
+    if ($result and $result->auth_default and in_array($result->auth_name, array_merge($extAuthMethods, $hybridAuthMethods))) {
         $provider_name = $result->auth_name;
+        $auth_id = $result->auth_id;
     }
 }
 
@@ -349,8 +349,8 @@
 
     $tool_content .= "<div class='alert alert-info'>$langUserData</div>";
     $tool_content .= "<div class='form-wrapper'>
-        <form class='form-horizontal' role='form' action='$_SERVER[SCRIPT_NAME]?auth=". @$_GET['auth'] ."' method='post'>
-        <input type='hidden' name='p' value='$prof'>        
+        <form class='form-horizontal' role='form' action='$_SERVER[SCRIPT_NAME]?auth=$auth_id' method='post'>
+        <input type='hidden' name='p' value='$prof'>
         <div class='form-group'>
             <label for='Name' class='col-sm-2 control-label'>$langName:</label>
             <div class='col-sm-10'>";
@@ -378,7 +378,7 @@
         }
 
         $tool_content .= "</div>
-        </div>        
+        </div>
         <div class='form-group'>
             <label for='UserName' class='col-sm-2 control-label'>$langUsername:</label>
             <div class='col-sm-10'>";
@@ -470,7 +470,7 @@
     $tool_content .= render_profile_fields_form(array('origin' => 'teacher_register'));
     $tool_content .= "<div class='form-group'><div class='col-sm-offset-2 col-sm-10'>
                     <input class='btn btn-primary' type='submit' name='submit' value='" . q($langSubmitNew) . "' />
-                    </div></div>       
+                    </div></div>
       </form>
       </div>";
 }
openeclass