From b4400125ac6e02dd8f7ab2958c90470428ad7bfe Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Tue, 8 Oct 2024 16:45:50 +0200
Subject: [PATCH] Security: Avoid error in catalogue when attempted hack in
 course code - refs BT#22085

---
 main/auth/courses.php | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/main/auth/courses.php b/main/auth/courses.php
index 1ddb2ab17d0..b5f52fb33e2 100755
--- a/main/auth/courses.php
+++ b/main/auth/courses.php
@@ -67,14 +67,23 @@
         }
         if (Security::check_token('get')) {
             $courseInfo = api_get_course_info($courseCodeToSubscribe);
-            CourseManager::autoSubscribeToCourse($courseCodeToSubscribe);
-            $redirectionTarget = CoursesAndSessionsCatalog::generateRedirectUrlAfterSubscription(
-                $courseInfo['course_public_url']
-            );
+            if (!empty($courseInfo)) {
+                CourseManager::autoSubscribeToCourse($courseCodeToSubscribe);
+                $redirectionTarget = CoursesAndSessionsCatalog::generateRedirectUrlAfterSubscription(
+                    $courseInfo['course_public_url']
+                );
 
-            header("Location: $redirectionTarget");
-            exit;
+                header("Location: $redirectionTarget");
+                exit;
+            }
         }
+        Display::addFlash(
+            Display::return_message(get_lang('NoResults'), 'warning')
+        );
+        CoursesAndSessionsCatalog::displayCoursesList('search_course', $searchTerm, $categoryCode);
+
+        exit;
+
         break;
     case 'subscribe_course_validation':
         $toolTitle = get_lang('Subscribe');