From a866ad40beb1c1d7faca2da9c3cbad2dcf6fa32b Mon Sep 17 00:00:00 2001
From: John Okely <john@moodle.com>
Date: Fri, 31 Oct 2014 13:36:52 +0800
Subject: [PATCH] MDL-47949 mod_wiki: Validate parameters for page deletion

---
 mod/wiki/admin.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mod/wiki/admin.php b/mod/wiki/admin.php
index a99605c0e97..03a835aaa98 100644
--- a/mod/wiki/admin.php
+++ b/mod/wiki/admin.php
@@ -64,6 +64,13 @@ require_capability('mod/wiki:managewiki', $context);
 
 //Delete page if a page ID to delete was supplied
 if (!empty($delete) && confirm_sesskey()) {
+    if ($pageid != $delete) {
+        // Validate that we are deleting from the same subwiki.
+        $deletepage = wiki_get_page($delete);
+        if (!$deletepage || $deletepage->subwikiid != $page->subwikiid) {
+            print_error('incorrectsubwikiid', 'wiki');
+        }
+    }
     wiki_delete_pages($context, $delete, $page->subwikiid);
     //when current wiki page is deleted, then redirect user to create that page, as
     //current pageid is invalid after deletion.
@@ -105,4 +112,4 @@ $wikipage->print_header();
 $wikipage->set_view($option, empty($listall)?true:false);
 $wikipage->print_content();
 
-$wikipage->print_footer();
\ No newline at end of file
+$wikipage->print_footer();
-- 
2.11.4.GIT