From c851ee5ddb71c17e7897370bdded4625170fdd25 Mon Sep 17 00:00:00 2001
From: Juan Leyva <juanleyvadelgado@gmail.com>
Date: Mon, 30 Oct 2017 15:55:49 +0100
Subject: [PATCH] MDL-53501 webservice: Avoid values higher than PHP_INT_MAX

Integers coming from site settings needs casting to int to avoid
returning values higher than PHP_INT_MAX.
---
 webservice/externallib.php            |  5 +++--
 webservice/tests/externallib_test.php | 17 +++++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/webservice/externallib.php b/webservice/externallib.php
index b091147691e90..6d0c3f03d9549 100644
--- a/webservice/externallib.php
+++ b/webservice/externallib.php
@@ -188,11 +188,12 @@ public static function get_site_info($serviceshortnames = array()) {
         // User quota. 0 means user can ignore the quota.
         $siteinfo['userquota'] = 0;
         if (!has_capability('moodle/user:ignoreuserquota', $context)) {
-            $siteinfo['userquota'] = $CFG->userquota;
+            $siteinfo['userquota'] = (int) $CFG->userquota; // Cast to int to ensure value is not higher than PHP_INT_MAX.
         }
 
         // User max upload file size. -1 means the user can ignore the upload file size.
-        $siteinfo['usermaxuploadfilesize'] = get_user_max_upload_file_size($context, $CFG->maxbytes);
+        // Cast to int to ensure value is not higher than PHP_INT_MAX.
+        $siteinfo['usermaxuploadfilesize'] = (int) get_user_max_upload_file_size($context, $CFG->maxbytes);
 
         // User home page.
         $siteinfo['userhomepage'] = get_home_page();
diff --git a/webservice/tests/externallib_test.php b/webservice/tests/externallib_test.php
index b5bea8ddb2376..f9122c67bebc7 100644
--- a/webservice/tests/externallib_test.php
+++ b/webservice/tests/externallib_test.php
@@ -161,4 +161,21 @@ public function test_get_site_info() {
 
     }
 
+    /**
+     * Test get_site_info with values > PHP_INT_MAX. We check only userquota since maxbytes require PHP ini changes.
+     */
+    public function test_get_site_info_max_int() {
+        $this->resetAfterTest(true);
+
+        self::setUser(self::getDataGenerator()->create_user());
+
+        // Check values higher than PHP_INT_MAX. This value may come from settings (as string).
+        $userquota = PHP_INT_MAX . '000';
+        set_config('userquota', $userquota);
+
+        $result = core_webservice_external::get_site_info();
+        $result = external_api::clean_returnvalue(core_webservice_external::get_site_info_returns(), $result);
+        $this->assertEquals(PHP_INT_MAX, $result['userquota']);
+    }
+
 }