MDL-53501 webservice: Avoid values higher than PHP_INT_MAX

Integers coming from site settings needs casting to int to avoid
returning values higher than PHP_INT_MAX.

webservice/externallib.php

@@ -188,11 +188,12 @@ public static function get_site_info($serviceshortnames = array()) {
         // User quota. 0 means user can ignore the quota.
         $siteinfo['userquota'] = 0;
         if (!has_capability('moodle/user:ignoreuserquota', $context)) {
-            $siteinfo['userquota'] = $CFG->userquota;
+            $siteinfo['userquota'] = (int) $CFG->userquota; // Cast to int to ensure value is not higher than PHP_INT_MAX.
         }
 
         // User max upload file size. -1 means the user can ignore the upload file size.
-        $siteinfo['usermaxuploadfilesize'] = get_user_max_upload_file_size($context, $CFG->maxbytes);
+        // Cast to int to ensure value is not higher than PHP_INT_MAX.
+        $siteinfo['usermaxuploadfilesize'] = (int) get_user_max_upload_file_size($context, $CFG->maxbytes);
 
         // User home page.
         $siteinfo['userhomepage'] = get_home_page();

webservice/tests/externallib_test.php

@@ -161,4 +161,21 @@ public function test_get_site_info() {
 
     }
 
+    /**
+     * Test get_site_info with values > PHP_INT_MAX. We check only userquota since maxbytes require PHP ini changes.
+     */
+    public function test_get_site_info_max_int() {
+        $this->resetAfterTest(true);
+
+        self::setUser(self::getDataGenerator()->create_user());
+
+        // Check values higher than PHP_INT_MAX. This value may come from settings (as string).
+        $userquota = PHP_INT_MAX . '000';
+        set_config('userquota', $userquota);
+
+        $result = core_webservice_external::get_site_info();
+        $result = external_api::clean_returnvalue(core_webservice_external::get_site_info_returns(), $result);
+        $this->assertEquals(PHP_INT_MAX, $result['userquota']);
+    }
+
 }