This ticket covers two somewhat related issues.

  1. There are several places in cas_server.module that grab info from $_GET or $_REQUEST without checking to see if the key is set which can cause graceless errors.
  2. $_REQUEST isn't used consistently. The CAS protocol doesn't require GET or POST vars, so IMO we should get input from $_REQUEST.
CommentFileSizeAuthor
cas_server_validate_input.patch2.92 KBthecarlhall

Comments

thecarlhall’s picture

Status: Active » Needs review
bfroehle’s picture

Status: Needs review » Fixed

Thanks. A slightly modified version committed to 6.x-3.x and 7.x-1.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit c73ec1e on 7.x-1.x, 8.x-1.x by bfroehle:
    Issue #1419900 by thecarlhall: Fixed Input needs validating, use $...