Compatibility with Moodle plugin "Bakery" [#2535628]

Hi,

I found that this module is simple and great.
But I have some problems with Moodle "bakery" plugin.

When I click login link on Moodle I have been redirected to Drupal login page with GET arg return_dest, and after successful login I still placed on Drupal side.

There is no any redirects back to Moodle in this case, but if I go to the Moodle manually, I will be logged in.

Comment	File	Size	Author
#6	bakery-moodle_integration-2535628-6.patch	998 bytes	kala4ek
#5	bakery-moodle_integration-2535628-5.patch	953 bytes	kala4ek
#1	bakery-moodle_integration-2535628-1.patch	635 bytes	kala4ek

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

kala4ek

Russian

🇷🇺 Novosibirsk

CreditAttribution: kala4ek as a volunteer and at DrupalJedi commented 30 September 2015 at 07:25

Status:

Needs work

» Needs review

File	Size
bakery-moodle_integration-2535628-1.patch	635 bytes

I've created simple patch, that fix it for me.
Please, review it, I think it'll help to smb else.

Comment #2

eugene.ilyin CreditAttribution: eugene.ilyin commented 15 August 2015 at 07:46

Status:

Needs review

» Reviewed & tested by the community

This patch works well for me! Thank you

Comment #3

drumm

he/him

NY, US

CreditAttribution: drumm at Drupal Association commented 6 December 2015 at 17:47

Status:

Reviewed & tested by the community

» Needs work

      drupal_add_http_header('Location', urldecode($_GET['return_dest']));

This looks like a security issue. At best, arbitrary redirection. Maybe arbitrary header injection if newlines can get through urldecode().

For Drupal.org we have similar functionality in custom code, http://cgit.drupalcode.org/drupalorg_crosssite/tree/drupalorg_crosssite..... This checks that the redirection is in a whitelist of expected domains.