1. 15 Jan, 2013 2 commits
  2. 27 Dec, 2012 1 commit
  3. 14 Dec, 2012 1 commit
  4. 13 Dec, 2012 1 commit
  5. 12 Dec, 2012 1 commit
  6. 30 Nov, 2012 5 commits
  7. 28 Nov, 2012 2 commits
  8. 27 Nov, 2012 3 commits
  9. 23 Nov, 2012 1 commit
  10. 22 Nov, 2012 6 commits
  11. 21 Nov, 2012 1 commit
  12. 20 Nov, 2012 2 commits
  13. 19 Nov, 2012 1 commit
  14. 15 Nov, 2012 1 commit
  15. 29 Oct, 2012 1 commit
  16. 19 Oct, 2012 1 commit
  17. 18 Oct, 2012 3 commits
  18. 17 Oct, 2012 1 commit
  19. 16 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Fix Leap2A import from Moodle · 9748c636
      Hugh Davenport authored
      
      
      Related to bug #1047111
      
      That bug fixed the XXE attack by setting the following to true
       libxml_disable_entity_loader
      
      This caused issues with the leap2a importer used by mnet, which
      used the simplexml_load to load the xml which relies on file
      based remote entities. For this situation, a the following flag
      is used, which stops network based XXE attacks
       LIBXML_NONET
      
      Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      9748c636
  20. 15 Oct, 2012 4 commits
  21. 10 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Escape pieform errors displayed to users · c3fb9200
      Hugh Davenport authored
      
      
      Bug #1063480
      CVE-2012-2243
      
      If a user modifies a form in such as way that an error
      is caused based on their input there is a possible XSS
      avenue.
      
      This was displayed in the user/group CSV uploads, with
      a malicious script in the header which causes a CSV parsing
      error and was then passed back to the user verbatim.
      
      This patch escapes all error messages in the pieform error
      output.
      
      Change-Id: I136546266115faa92b727317d6539518d73aea55
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      c3fb9200