From 869f6f39fbf47ca336be5a3b9aabfc8c24cfc664 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <angelfqc.18@gmail.com>
Date: Tue, 30 Oct 2018 15:46:12 -0500
Subject: [PATCH] LTI verify oauth signature for deep linking - refs BT#13469

---
 plugin/ims_lti/item_return.php | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/plugin/ims_lti/item_return.php b/plugin/ims_lti/item_return.php
index 18b7f69c05..24c5dd93ec 100644
--- a/plugin/ims_lti/item_return.php
+++ b/plugin/ims_lti/item_return.php
@@ -23,7 +23,33 @@ $course = $em->find('ChamiloCoreBundle:Course', api_get_course_int_id());
 $ltiTool = $em->find('ChamiloPluginBundle:ImsLti\ImsLtiTool', $toolId);
 
 if (!$ltiTool) {
-    api_not_allowed(false);
+    api_not_allowed();
+}
+
+$oauth = new OAuthSimple(
+    $_POST['oauth_consumer_key'],
+    $ltiTool->getSharedSecret()
+);
+$oauth->setAction('POST');
+$oauth->setSignatureMethod($_POST['oauth_signature_method']);
+$result = $oauth->sign(
+    [
+        'path' => api_get_path(WEB_PLUGIN_PATH).'ims_lti/item_return.php',
+        'parameters' => [
+            'content_items' => $_POST['content_items'],
+            'data' => $_POST['data'],
+            'lti_version' => $_POST['lti_version'],
+            'lti_message_type' => $_POST['lti_message_type'],
+            'oauth_nonce' => $_POST['oauth_nonce'],
+            'oauth_timestamp' => $_POST['oauth_timestamp'],
+            'oauth_signature_method' => $_POST['oauth_signature_method'],
+            'oauth_callback' => $_POST['oauth_callback'],
+        ],
+    ]
+);
+
+if ($result['parameters']['oauth_signature'] !== $_POST['oauth_signature']) {
+    api_not_allowed();
 }
 
 $contentItems = json_decode($_POST['content_items'], true);