Closed danielcifuentesopen closed 2 years ago
That file isn't Moodle code. It's an external library included in this code (simplesamlphp) - external libraries follow their own guidelines and don't have access to moodle apis like optional/required_param.
Thanks!
In the latest
auth_saml2
plugin version (2022083100
), there is a file (saml2/.extlib/simplesamlphp/modules/adfs/www/idp/prp.php
) in which$_GET
is used. Following this documentation https://docs.moodle.org/dev/Security#Don't_trust_any_input_from_users, this may be a security issue. It is recommended to userequired_param()
oroptional_param()
insted.