From 9108646670c8dce6332b77dd966dc5b92b1ba041 Mon Sep 17 00:00:00 2001
From: "Daniel Cazalla (ZallaxDev)"
 <86362063+ZallaxDev@users.noreply.github.com>
Date: Wed, 4 Dec 2024 10:54:07 +0100
Subject: [PATCH] LTI: Authentication check for registering new LTI providers
 and HTML escaping

The LTIConsumer creation entry point has been modified to add a user check and an unused get method check has been removed.

Added htmlspecialchars to ilObjLTIConsumerProviderList::getTableDataUsedBy in the title and description of the table providers.

Moved strict_types to avoid error in copyright check.
---
 .../classes/class.ilLTIConsumeProviderList.php            | 8 ++++----
 Modules/LTIConsumer/ltiregstart.php                       | 7 ++-----
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderList.php b/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderList.php
index 51f261cb8af1..524840b04dc8 100755
--- a/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderList.php
+++ b/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderList.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /**
  * This file is part of ILIAS, a powerful learning management system
  * published by ILIAS open source e-Learning e.V.
@@ -18,6 +16,8 @@
  *
  *********************************************************************/
 
+declare(strict_types=1);
+
 /**
  * Class ilLTIConsumeProviderList
  *
@@ -390,8 +390,8 @@ public function getTableData(): array
             $tblRow = array();
 
             $tblRow['id'] = $provider->getId();
-            $tblRow['title'] = $provider->getTitle();
-            $tblRow['description'] = $provider->getDescription();
+            $tblRow['title'] = htmlspecialchars($provider->getTitle());
+            $tblRow['description'] = htmlspecialchars($provider->getDescription());
             $tblRow['category'] = $provider->getCategory();
             $tblRow['keywords'] = $this->getKeywordsFormatted($provider->getKeywordsArray());
             $tblRow['outcome'] = $provider->getHasOutcome();
diff --git a/Modules/LTIConsumer/ltiregstart.php b/Modules/LTIConsumer/ltiregstart.php
index 1e0c26268b5f..9f76e32c1488 100644
--- a/Modules/LTIConsumer/ltiregstart.php
+++ b/Modules/LTIConsumer/ltiregstart.php
@@ -26,11 +26,8 @@
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (strtoupper($DIC->http()->request()->getMethod()) !== "GET") {
-    $DIC->http()->saveResponse(
-        $DIC->http()->response()
-            ->withStatus(400)
-    );
+if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) {
+    ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }
 
 $params = $DIC->http()->wrapper()->query();