I recently had to do a security review of your plugin for a customer and was going through the checklist of Moodle https://docs.moodle.org/dev/Plugin_contribution_checklist and noticed that you were using superglobals $_SERVER directly in this function in lib.php
function theme_enlightlite_serve_css($filename) {
global $CFG;
if (!empty($CFG->themedir)) {
$thestylepath = $CFG->themedir . '/enlightlite/style/';
} else {
$thestylepath = $CFG->dirroot . '/theme/enlightlite/style/';
}
$thesheet = $thestylepath . $filename;
$etagfile = md5_file($thesheet);
// File.
$lastmodified = filemtime($thesheet);
// Header.
$ifmodifiedsince = (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? $_SERVER['HTTP_IF_MODIFIED_SINCE'] : false);
$etagheader = (isset($_SERVER['HTTP_IF_NONE_MATCH']) ? trim($_SERVER['HTTP_IF_NONE_MATCH']) : false);
if ((($ifmodifiedsince) && (strtotime($ifmodifiedsince) == $lastmodified)) || $etagheader == $etagfile) {
theme_enlightlite_send_unmodified($lastmodified, $etagfile);
}
theme_enlightlite_send_cached_css($thestylepath, $filename, $lastmodified, $etagfile);
}Is it on purpose/harmless or can I do a pull request to remove the access to $_SERVER directly?
I recently had to do a security review of your plugin for a customer and was going through the checklist of Moodle https://docs.moodle.org/dev/Plugin_contribution_checklist and noticed that you were using superglobals $_SERVER directly in this function in lib.php
Is it on purpose/harmless or can I do a pull request to remove the access to $_SERVER directly?