1. 31 Aug, 2016 1 commit
  2. 22 Aug, 2016 1 commit
  3. 26 Jan, 2016 1 commit
  4. 14 Oct, 2013 1 commit
  5. 19 Sep, 2013 1 commit
  6. 12 Apr, 2013 1 commit
  7. 10 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Fix saved file permissions · e85c165f
      Hugh Davenport authored
      Bug #1057238
      CVE-2012-2244
      
      Currently, files that are saved by Mahara use the
      directorypermissions config option, which defaults to
      0700, which allows execution.
      
      This allows users to potentially upload files with
      executable bits set, and if they have control of the
      config options pathtoclam, pathtozip, or pathtounzip
      then they could run this command when one of those
      commands are invocated.
      
      This patch bitwise-AND's the directory permissions
      config with 0666, which removes any executable bit
      and sets the result as a new config option
      filepermissions.
      
      A change the upload code to use this new option is made
      
      Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      e85c165f
  8. 24 Sep, 2012 1 commit
  9. 17 Aug, 2012 1 commit
  10. 30 Aug, 2011 1 commit
  11. 26 May, 2011 1 commit
  12. 13 May, 2011 1 commit
  13. 23 Dec, 2010 1 commit
  14. 20 Nov, 2009 1 commit
  15. 13 Jul, 2009 2 commits
  16. 11 Jun, 2009 1 commit
  17. 14 Apr, 2009 1 commit
  18. 08 Mar, 2009 2 commits
  19. 18 Feb, 2009 1 commit
  20. 13 Feb, 2009 1 commit
  21. 19 Nov, 2008 1 commit
  22. 16 Oct, 2008 1 commit
  23. 11 Feb, 2008 1 commit
  24. 13 Jan, 2008 1 commit
  25. 04 Dec, 2007 1 commit
  26. 24 Oct, 2007 1 commit
  27. 17 Aug, 2007 1 commit
    • Nigel McNie's avatar
      Change to how table names are specified in SQL queries. · 250cf34d
      Nigel McNie authored
      Now, table names (and other identifiers that could be confused with SQL kewords), should be put into SQL like this:
      
      SELECT * FROM {artefact}
      
      The braces are matched and expanded by DML now to include the prefix and be properly quoted, which means that tables like 'view' and 'group' don't need renaming (and nor should they, there's little reason why we should rename tables to get around such constraints).
      
      This has removed a whole bunch of $prefix = ... and get_config('dbprefix') stuff, which makes things a little simpler yet again.
      250cf34d
  28. 14 Feb, 2007 1 commit
  29. 31 Jan, 2007 3 commits
  30. 09 Jan, 2007 3 commits
  31. 04 Jan, 2007 1 commit
  32. 21 Dec, 2006 2 commits
  33. 13 Dec, 2006 1 commit