Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't trust any input from users #19

Open
purnendudash opened this issue Apr 5, 2024 · 1 comment
Open

Don't trust any input from users #19

purnendudash opened this issue Apr 5, 2024 · 1 comment

Comments

@purnendudash
Copy link

Here the file_get_contents used directly without any sanitisation.

moodle-availability_examus2/api.php

Line 62 in 3658279

$requestbody = file_get_contents('php://input');

Kindly use proper cleanup before using any such values. Here is the reference doc - https://moodledev.io/general/development/policies/security#dont-trust-any-input-from-users
@evsoldatkin
Copy link
Contributor

Data can not be optained by optional_param or required_param functions, because it goes in a raw body format according to intergation specifications of the external service.
Data is recieved only from the integration server after JWT signature verification and cleaned after by using json_decode.
The same can be found in a core intergation with shibboleth in auth\shibboleth\login.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evsoldatkin @purnendudash