Skip to content

GitLab

Commit 75f4fd25 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review
Browse files

Merge "Bug 1692749: Security: Stop event log having plain text passwords"

parents fe09b567 433ab8e6
Hide whitespace changes
Inline Side-by-side
Showing with 29 additions and 1 deletion
htdocs/lib/db/upgrade.php
View file @ 75f4fd25
......@@ -4975,5 +4975,30 @@ function xmldb_core_upgrade($oldversion=0) {
}
}
if ($oldversion < 2017052300) {
if ($records = get_records_sql_array("SELECT event, data, time FROM {event_log} WHERE event = ?", array('createuser'))) {
log_debug('Remove sensitive data from event_log');
$count = 0;
$limit = 1000;
$total = count($records);
foreach ($records as $record) {
$where = clone $record;
$data = json_decode($record->data);
if (isset($data->password)) {
unset($data->password);
$cleandata = json_encode($data);
$record->data = $cleandata;
update_record('event_log', $record, $where);
set_field('usr', 'passwordchange', 1, 'username', $data->username);
}
$count++;
if (($count % $limit) == 0 || $count == $total) {
log_debug("$count/$total");
set_time_limit(30);
}
}
}
}
return $status;
}
htdocs/lib/mahara.php
View file @ 75f4fd25
......@@ -1869,6 +1869,9 @@ function handle_event($event, $data) {
);
}
else if (is_object($data)) {
if (isset($data->password)) {
unset($data->password);
}
$data = (array)$data;
}
else if (is_numeric($data)) {
......
htdocs/lib/version.php
View file @ 75f4fd25
......@@ -16,7 +16,7 @@ $config = new stdClass();
// See https://wiki.mahara.org/wiki/Developer_Area/Version_Numbering_Policy
// For upgrades on stable branches, increment the version by one. On master, use the date.
$config->version = 2017051100;
$config->version = 2017052300;
$config->series = '17.10';
$config->release = '17.10dev';
$config->minupgradefrom = 2012080604;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment