CSRF and sanitise vars in callbackmulti.php

Question

CSRF and sanitise vars in callbackmulti.php

danmarsden opened this issue 8 years ago · 5 comments

can sesskey checks be added to callbackmulti.php? - looks like it's called from within Moodle so should be possible?

also would be good to do some clean_param calls on the content that comes from the json_decode before passing them directly into the database.

Answer 1 · 2018-07-23T04:47:50.000Z

Hi Dan,

We can't add sesskey to callbackmulti.php. It's a callback PHP that EQUELLA uses to redirect user to after saving the selected resource in their course.

Cheers,
Nelson

Answer 2 · 2018-07-23T06:07:56.000Z

but it happens within the user session right? - so you could add sesskey to the url you pass to equalla which is then passed back to Moodle?

if not - all good but it really needs some clean_param calls on that content before passing to the db...

Answer 3 · 2018-07-23T06:21:57.000Z

clean_param has been added and is checked in.

Regarding session key, it's possible to pass sesskey to EQUELLA and hand in back on callback. The session key could expire if user stay in EQUELLA long enough (e.g. go out for lunch during the middle of a content contribution). I'd suggest to keep that as it is.

Answer 4 · 2018-07-23T21:42:20.000Z

I'm still not convinced.. but this probably wouldn't be a blocker on our end. having the clean_param stuff there makes it a lot cleaner than it was thanks.

Answer 5 · 2020-02-28T01:08:36.000Z

Problem seems to have been adequately fixed.