From cde2ffbaecd60e60f2bd339003f2e6452c7b5886 Mon Sep 17 00:00:00 2001
From: Richard Mansfield <richard.mansfield@catalyst.net.nz>
Date: Mon, 31 Oct 2011 17:27:33 +1300
Subject: [PATCH 1/2] Check session key in addtoinstitution.php script (CVE-2011-2773)

Change-Id: I6936c9b1863cd42686e2818660aba4b6955408d8
---
 htdocs/admin/users/addtoinstitution.php |    4 ++++
 htdocs/lib/searchlib.php                |    2 +-
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/htdocs/admin/users/addtoinstitution.php b/htdocs/admin/users/addtoinstitution.php
index f291aed..be866ca 100644
--- a/htdocs/admin/users/addtoinstitution.php
+++ b/htdocs/admin/users/addtoinstitution.php
@@ -32,6 +32,10 @@ require('institution.php');
 $id          = param_integer('id');
 $institution = new Institution(param_alpha('institution'));
 
+if (param_alphanum('sesskey') != $USER->get('sesskey')) {
+    throw new UserException('Invalid sesskey');
+}
+
 if (!$USER->get('admin')) {
     if (!$USER->is_institutional_admin($institution->name)) {
         $SESSION->add_error_msg(get_string('notadminforinstitution', 'admin'));
diff --git a/htdocs/lib/searchlib.php b/htdocs/lib/searchlib.php
index 2b6098b..b9d37a4 100644
--- a/htdocs/lib/searchlib.php
+++ b/htdocs/lib/searchlib.php
@@ -299,7 +299,7 @@ function build_admin_user_search_results($search, $offset, $limit, $sortby, $sor
     $institutions = get_records_assoc('institution', '', '', '', 'name,displayname');
     if (count($institutions) > 1) {
         $cols['institution'] = array('name'     => get_string('institution'),
-                                     'template' => '{if empty($r.institutions)}{$institutions.mahara->displayname|escape}{else}{foreach from=$r.institutions item=i}<div>{$institutions[$i]->displayname|escape}</div>{/foreach}{/if}{if !empty($r.requested)}{foreach from=$r.requested item=i}<div class="pending">{str tag=requestto section=admin} {$institutions[$i]->displayname|escape}{if $USER->is_institutional_admin("$i")} (<a href="{$WWWROOT}admin/users/addtoinstitution.php?id={$r.id}&institution={$i}">{str tag=confirm section=admin}</a>){/if}</div>{/foreach}{/if}{if !empty($r.invitedby)}{foreach from=$r.invitedby item=i}<div class="pending">{str tag=invitedby section=admin} {$institutions[$i]->displayname|escape}</div>{/foreach}{/if}');
+                                     'template' => '{if empty($r.institutions)}{$institutions.mahara->displayname|escape}{else}{foreach from=$r.institutions item=i}<div>{$institutions[$i]->displayname|escape}</div>{/foreach}{/if}{if !empty($r.requested)}{foreach from=$r.requested item=i}<div class="pending">{str tag=requestto section=admin} {$institutions[$i]->displayname|escape}{if $USER->is_institutional_admin("$i")} (<a href="{$WWWROOT}admin/users/addtoinstitution.php?id={$r.id}&institution={$i}&sesskey={$USER->get(\'sesskey\')}">{str tag=confirm section=admin}</a>){/if}</div>{/foreach}{/if}{if !empty($r.invitedby)}{foreach from=$r.invitedby item=i}<div class="pending">{str tag=invitedby section=admin} {$institutions[$i]->displayname|escape}</div>{/foreach}{/if}');
     }
 
     $smarty = smarty_core();
-- 
1.7.1