LTI verify oauth signature for deep linking - refs BT#13469

plugin/ims_lti/item_return.php

@@ -23,7 +23,33 @@ $course = $em->find('ChamiloCoreBundle:Course', api_get_course_int_id());
 $ltiTool = $em->find('ChamiloPluginBundle:ImsLti\ImsLtiTool', $toolId);
 
 if (!$ltiTool) {
-    api_not_allowed(false);
+    api_not_allowed();
+}
+
+$oauth = new OAuthSimple(
+    $_POST['oauth_consumer_key'],
+    $ltiTool->getSharedSecret()
+);
+$oauth->setAction('POST');
+$oauth->setSignatureMethod($_POST['oauth_signature_method']);
+$result = $oauth->sign(
+    [
+        'path' => api_get_path(WEB_PLUGIN_PATH).'ims_lti/item_return.php',
+        'parameters' => [
+            'content_items' => $_POST['content_items'],
+            'data' => $_POST['data'],
+            'lti_version' => $_POST['lti_version'],
+            'lti_message_type' => $_POST['lti_message_type'],
+            'oauth_nonce' => $_POST['oauth_nonce'],
+            'oauth_timestamp' => $_POST['oauth_timestamp'],
+            'oauth_signature_method' => $_POST['oauth_signature_method'],
+            'oauth_callback' => $_POST['oauth_callback'],
+        ],
+    ]
+);
+
+if ($result['parameters']['oauth_signature'] !== $_POST['oauth_signature']) {
+    api_not_allowed();
 }
 
 $contentItems = json_decode($_POST['content_items'], true);