Check https links see BT#10217

10 years ago · 8114f78dda
parent 90ef20b0b4
commit 8114f78dda
3 changed files with 12 additions and 3 deletions
--- a/main/newscorm/learnpath.class.php
+++ b/main/newscorm/learnpath.class.php
@ -9879,7 +9879,7 @@ EOD;
     *
     * @return string
     */
-    public function checkXFrameOptions($src)
+    public function fixBlockedLinks($src)
    {
        if (strpos($src, api_get_path(WEB_CODE_PATH)) === false) {
            // Check X-Frame-Options
@ -9912,6 +9912,14 @@ EOD;
                $_SESSION['x_frame_source'] = $src;
                $src = 'blank.php?error=x_frames_options';
            }
+        } else {
+            $urlInfo = parse_url($src);
+            $platformProtocol = api_get_protocol();
+
+            if ($platformProtocol != $urlInfo['scheme']) {
+                $_SESSION['x_frame_source'] = $src;
+                $src = 'blank.php?error=x_frames_options';
+            }
        }

        return $src;
--- a/main/newscorm/lp_content.php
+++ b/main/newscorm/lp_content.php
@ -59,7 +59,7 @@ if ($dokeos_chapter) {
            } else {
                $src = 'blank.php?error=prerequisites';
            }
-            $src = $_SESSION['oLP']->checkXFrameOptions($src);
+            $src = $_SESSION['oLP']->fixBlockedLinks($src);
            break;
        case 2:
            $_SESSION['oLP']->stop_previous_item();
--- a/main/newscorm/lp_view.php
+++ b/main/newscorm/lp_view.php
@ -168,7 +168,8 @@ if (!isset($src)) {
                    $src = api_get_path(WEB_CODE_PATH).'newscorm/lp_view_item.php?lp_item_id='.$lp_item_id.'&'.api_get_cidreq();
                }

-                $src = $_SESSION['oLP']->checkXFrameOptions($src);
+                $src = $_SESSION['oLP']->fixBlockedLinks($src);
+
                $_SESSION['oLP']->start_current_item(); // starts time counter manually if asset
            } else {
                $src = 'blank.php?error=prerequisites';