MDL-81491 enrol_lti: fix incorrect login_hint parameter type validation

This was always bad, but since we only used it to verify the existence of the param, and let library code take $_REQUEST for the real validation, it was ok. Now, since we're redirecting to self during necessary cookie checks added by MDL-80835, we lose the real value originally stored in $_REQUEST. This patch just fixes the param type, setting it to raw, which is what it should have used originally. The raw value won't be cast from a string to an int as part of the require_param call, so the value won't be lost any more.
snake · Apr 10, 2024 · f5587cf · f5587cf
1 parent a18c0b7
commit f5587cf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/enrol/lti/login.php b/enrol/lti/login.php
@@ -40,7 +40,7 @@
 // See http://www.imsglobal.org/spec/security/v1p0/#step-1-third-party-initiated-login.
 // Validate these here, despite further validation in the LTI 1.3 library.
 $iss = required_param('iss', PARAM_URL); // Issuer URI of the calling platform.
-$loginhint = required_param('login_hint', PARAM_INT); // Platform ID for the person to login.
+$loginhint = required_param('login_hint', PARAM_RAW); // Platform ID for the person to login.
 $targetlinkuri = required_param('target_link_uri', PARAM_URL); // The took launch URL.
 
 // Optional lti_message_hint. See https://www.imsglobal.org/spec/lti/v1p3#additional-login-parameters-0.