Remove any rewrite rules with "?" to avoid AlloUnsafeAllow3F

tsugiproject · Jul 24, 2024 · 7dd9f6e · 7dd9f6e
1 parent fad261c
commit 7dd9f6e
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 7 deletions.
diff --git a/lti/.htaccess b/lti/.htaccess
@@ -1,7 +1,5 @@
 <IfModule mod_rewrite.c>
     RewriteEngine on
-    RewriteRule ^oidc_login/(.*)$ oidc_login.php?guid=$1 [L,QSA]
-    RewriteRule ^keyset/(.*)$ keyset.php?issuer_guid=$1 [L,QSA]
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteCond %{REQUEST_URI} !=/favicon.ico

diff --git a/lti/oidc_login.php b/lti/oidc_login.php
@@ -11,14 +11,16 @@
 
 require_once "../config.php";
 
+$rest_path = U::rest_path();
+
 // We will switch these defaults in the future...
 $postverify_enabled = isset($CFG->postverify) ? $CFG->postverify : false;
 $postmessage_enabled = isset($CFG->postmessage) ? $CFG->postmessage : false;
 
 // target_link_uri and lti_message_hint are not required by Tsugi
 $login_hint = U::get($_REQUEST, 'login_hint');
 $iss = U::get($_REQUEST, 'iss');
-$issuer_guid = U::get($_REQUEST, 'guid');
+$issuer_guid = U::get($_REQUEST, 'guid', $rest_path->action);
 $lti_storage_target = U::get($_REQUEST, 'web_message_target');
 $lti_storage_target = U::get($_REQUEST, 'ims_web_message_target', $lti_storage_target);
 $lti_storage_target = U::get($_REQUEST, 'lti_storage_target', $lti_storage_target);

diff --git a/lti/store/.htaccess b/lti/store/.htaccess
@@ -1,7 +1,9 @@
 <IfModule mod_rewrite.c>
     RewriteEngine on
-    RewriteRule ^sakai-config/(.*)$ sakai-config.php?guid=$1 [L,QSA]
-    RewriteRule ^ims-config/(.*)$ ims-config.php?guid=$1 [L,QSA]
+    RewriteRule ^sakai-config sakai-config.php [L,QSA]
+    RewriteRule ^ims-config ims-config.php [L,QSA]
+    RewriteRule ^sakai-config/(.*)$ sakai-config.php/$1 [L,QSA]
+    RewriteRule ^ims-config/(.*)$ ims-config.php/$1 [L,QSA]
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteCond %{REQUEST_URI} !=/favicon.ico

diff --git a/lti/store/ims-config.php b/lti/store/ims-config.php
@@ -11,7 +11,11 @@
 // See also:
 // https://tools.ietf.org/html/rfc7591
 
-$guid = U::get($_GET,"guid",false);
+
+// Allow for ims-config/123 or ims-config?guid=123
+
+$rest_path = U::rest_path();
+$guid = U::get($_GET, "guid", $rest_path->action);
 
 $json = new \stdClass();
 

diff --git a/lti/store/sakai-config.php b/lti/store/sakai-config.php
@@ -6,7 +6,9 @@
 
 // See the end of the file for some documentation references
 
-$guid = U::get($_GET,"guid",false);
+// Allow for sakai-config/123 or sakai-config?guid=123
+$rest_path = U::rest_path();
+$guid = U::get($_GET, "guid", $rest_path->action);
 
 $json = new \stdClass();