ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/app/controllers/lti
History
wdransfield c64962fd8f Fix XSS and tool registration endpoint vulnerabilities 
Fixes PLAT-2905

Test Plan:
- Regression test LTI 2 registration and
  reregistraiton.
- Verify that the registration endpoint is now post
  only (i.e. /courses/113/lti/
  tool_proxy_registration?tool_consumer_url=https://bad.site.com)
- Verify that when posting to the endpoint the
  `tool_consumer_url` parameter may not use the
  JavaScript protocol.

Change-Id: Ie61b9293083a65a705db5268f695a2874be35a3f
Reviewed-on: https://gerrit.instructure.com/131981
Tested-by: Jenkins
Reviewed-by: Andrew Butterfield <abutterfield@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Weston Dransfield <wdransfield@instructure.com>
 		2017-11-08 17:03:43 +00:00
..
ims create api methods for tool settings 2017-10-11 18:44:38 +00:00
lti_apps_controller.rb Fix some typos and formatting 2017-10-16 22:33:53 +00:00
membership_service_controller.rb da licença part 5 2017-04-27 21:30:43 +00:00
message_controller.rb Fix XSS and tool registration endpoint vulnerabilities 2017-11-08 17:03:43 +00:00
originality_reports_api_controller.rb Change plagiarism platform visibility 2017-11-01 14:43:34 +00:00
submissions_api_controller.rb Store EULA agreement timestamp 2017-11-02 19:43:35 +00:00
subscriptions_api_controller.rb Fix regression in subscriptions api controller 2017-08-28 21:32:05 +00:00
subscriptions_validator.rb Allow subscriptions on root_account 2017-05-09 22:28:55 +00:00
tool_proxy_controller.rb da licença part 5 2017-04-27 21:30:43 +00:00
users_api_controller.rb LTI User show endpoint 2017-09-28 15:41:12 +00:00