From 21678faee6ce5065fb82d1be3a7b9773270b9517 Mon Sep 17 00:00:00 2001
From: Damyon Wiese <damyon@moodle.com>
Date: Mon, 13 Jul 2015 10:15:17 +0800
Subject: [PATCH] MDL-50784 ajax: Require a sesskey for all ajax requests.

This needs to be done before we can expose any webservices that
change state, or return private info to ajax (to prevent CSRF).

Currently there are no webservices exposed to ajax that meet these
criteria - so this issue is to prevent future security issues.
---
 lib/ajax/service.php      | 1 +
 lib/amd/build/ajax.min.js | 2 +-
 lib/amd/src/ajax.js       | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/ajax/service.php b/lib/ajax/service.php
index 7a72e88..938ffa8 100644
--- a/lib/ajax/service.php
+++ b/lib/ajax/service.php
@@ -33,6 +33,7 @@ require_once(dirname(__FILE__) . '/../../config.php');
 require_once($CFG->libdir . '/externallib.php');
 
 require_login(null, true, null, true, true);
+require_sesskey();
 
 $rawjson = file_get_contents('php://input');
 
diff --git a/lib/amd/build/ajax.min.js b/lib/amd/build/ajax.min.js
index 72274b8..2a80dfe 100644
--- a/lib/amd/build/ajax.min.js
+++ b/lib/amd/build/ajax.min.js
@@ -1 +1 @@
-define(["jquery","core/config"],function(a,b){var c=function(a){var b,c,d=this,e=null,f=0;for(f=0;f<d.length;f++){if(b=d[f],c=a[f],"undefined"==typeof c){e=new Error("missing response");break}if(c.error!==!1){e=c.exception;break}b.deferred.resolve(c.data)}if(null!==e)for(;f<d.length;f++)b=d[f],b.deferred.reject(e)},d=function(a,b){var c=this,d=0;for(d=0;d<c.length;d++){var e=c[d];"undefined"!=typeof e.fail&&e.deferred.reject(b)}};return{call:function(e,f){var g,h=[],i=[];for("undefined"==typeof f&&(f=!0),g=0;g<e.length;g++){var j=e[g];h.push({index:g,methodname:j.methodname,args:j.args}),j.deferred=a.Deferred(),i.push(j.deferred.promise()),"undefined"!=typeof j.done&&j.deferred.done(j.done),"undefined"!=typeof j.fail&&j.deferred.fail(j.fail),j.index=g}h=JSON.stringify(h);var k={type:"POST",data:h,context:e,dataType:"json",processData:!1,async:f};return f?a.ajax(b.wwwroot+"/lib/ajax/service.php",k).done(c).fail(d):(k.success=c,k.error=d,a.ajax(b.wwwroot+"/lib/ajax/service.php",k)),i}}});
\ No newline at end of file
+define(["jquery","core/config"],function(a,b){var c=function(a){var b,c,d=this,e=null,f=0;for(f=0;f<d.length;f++){if(b=d[f],c=a[f],"undefined"==typeof c){e=new Error("missing response");break}if(c.error!==!1){e=c.exception;break}b.deferred.resolve(c.data)}if(null!==e)for(;f<d.length;f++)b=d[f],b.deferred.reject(e)},d=function(a,b){var c=this,d=0;for(d=0;d<c.length;d++){var e=c[d];"undefined"!=typeof e.fail&&e.deferred.reject(b)}};return{call:function(e,f){var g,h=[],i=[];for("undefined"==typeof f&&(f=!0),g=0;g<e.length;g++){var j=e[g];h.push({index:g,methodname:j.methodname,args:j.args}),j.deferred=a.Deferred(),i.push(j.deferred.promise()),"undefined"!=typeof j.done&&j.deferred.done(j.done),"undefined"!=typeof j.fail&&j.deferred.fail(j.fail),j.index=g}h=JSON.stringify(h);var k={type:"POST",data:h,context:e,dataType:"json",processData:!1,async:f};return f?a.ajax(b.wwwroot+"/lib/ajax/service.php?sesskey="+b.sesskey,k).done(c).fail(d):(k.success=c,k.error=d,a.ajax(b.wwwroot+"/lib/ajax/service.php?sesskey="+b.sesskey,k)),i}}});
\ No newline at end of file
diff --git a/lib/amd/src/ajax.js b/lib/amd/src/ajax.js
index 4f2cb77..2966cb4 100644
--- a/lib/amd/src/ajax.js
+++ b/lib/amd/src/ajax.js
@@ -146,13 +146,13 @@ define(['jquery', 'core/config'], function($, config) {
 
             // Jquery deprecated done and fail with async=false so we need to do this 2 ways.
             if (async) {
-                $.ajax(config.wwwroot + '/lib/ajax/service.php', settings)
+                $.ajax(config.wwwroot + '/lib/ajax/service.php?sesskey=' + config.sesskey, settings)
                     .done(requestSuccess)
                     .fail(requestFail);
             } else {
                 settings.success = requestSuccess;
                 settings.error = requestFail;
-                $.ajax(config.wwwroot + '/lib/ajax/service.php', settings);
+                $.ajax(config.wwwroot + '/lib/ajax/service.php?sesskey=' + config.sesskey, settings);
             }
 
             return promises;
-- 
1.8.3.2