1. 14 Dec, 2012 1 commit
  2. 13 Dec, 2012 1 commit
  3. 12 Dec, 2012 1 commit
  4. 30 Nov, 2012 5 commits
  5. 28 Nov, 2012 2 commits
  6. 27 Nov, 2012 3 commits
  7. 23 Nov, 2012 1 commit
  8. 22 Nov, 2012 6 commits
  9. 21 Nov, 2012 1 commit
  10. 20 Nov, 2012 2 commits
  11. 15 Nov, 2012 1 commit
  12. 29 Oct, 2012 1 commit
  13. 19 Oct, 2012 1 commit
  14. 18 Oct, 2012 3 commits
  15. 17 Oct, 2012 1 commit
  16. 16 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Fix Leap2A import from Moodle · 9748c636
      Hugh Davenport authored
      
      
      Related to bug #1047111
      
      That bug fixed the XXE attack by setting the following to true
       libxml_disable_entity_loader
      
      This caused issues with the leap2a importer used by mnet, which
      used the simplexml_load to load the xml which relies on file
      based remote entities. For this situation, a the following flag
      is used, which stops network based XXE attacks
       LIBXML_NONET
      
      Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      9748c636
  17. 15 Oct, 2012 4 commits
  18. 10 Oct, 2012 5 commits
    • Hugh Davenport's avatar
      Escape pieform errors displayed to users · c3fb9200
      Hugh Davenport authored
      
      
      Bug #1063480
      CVE-2012-2243
      
      If a user modifies a form in such as way that an error
      is caused based on their input there is a possible XSS
      avenue.
      
      This was displayed in the user/group CSV uploads, with
      a malicious script in the header which causes a CSV parsing
      error and was then passed back to the user verbatim.
      
      This patch escapes all error messages in the pieform error
      output.
      
      Change-Id: I136546266115faa92b727317d6539518d73aea55
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      c3fb9200
    • Hugh Davenport's avatar
      Escape user uploaded SVG files · 52e35d9d
      Hugh Davenport authored
      
      
      Bug #1061980
      CVE-2012-2247
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      Unfortunately, an SVG file can possibly contain unsecure content,
      such as javascript, that would be run on the victims browser.
      
      This patch adds SVG files (image/svg+xml) to the list of files
      to not display by default.
      
      Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      52e35d9d
    • Hugh Davenport's avatar
      Fix Click-Jacking attack on account deletion page · b480b81a
      Hugh Davenport authored
      
      
      This attack has been mitigated by adding a HTTP header
      of X-Frame-Options to every page in Mahara.
      
      Bug #1057240
      CVE-2012-2246
      
      Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      b480b81a
    • Hugh Davenport's avatar
      Fix up old file permissions to remove executable · f964a327
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      In previous versions of mahara, all the user uploaded files
      had the executable bit set. This patch runs an upgrade script
      to remove this executable bit.
      
      Change-Id: If4a3f5876f34bd2d38ff9edcd96b234271c2d1f6
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      f964a327
    • Hugh Davenport's avatar
      Escape user uploaded XHTML files · 26c5cf07
      Hugh Davenport authored
      
      
      Bug #1055232
      CVE-2012-2243
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      This did not include XHTML files, which can cause the same
      security issues as HTML or XML files. This patch includes the
      XHTML mimetype of application/xhtml+xml in the test of which
      files to escape.
      
      Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      26c5cf07