1. 15 Jan, 2013 1 commit
    • Ali Kaye's avatar
      Bug #1097564 Include contact information · 731e8115
      Ali Kaye authored
      
      
      Modified mahara.php and lib.php so that when
       a user with an expired account tries to log in
      they are told 'Sorry, your account has expired.
      You can contact the site administrator to have
      the account reactivated,' with a link to the
      'Contact Us' page.
      
      Change-Id: I6b461d40e37a88ac513649a1d4a6d83c5d3711a4
      Signed-off-by: default avatarAli Kaye <alexandrakaye.student@wegc.school.nz>
      731e8115
  2. 27 Dec, 2012 1 commit
  3. 14 Dec, 2012 1 commit
  4. 13 Dec, 2012 1 commit
  5. 12 Dec, 2012 1 commit
  6. 30 Nov, 2012 5 commits
  7. 28 Nov, 2012 2 commits
  8. 27 Nov, 2012 3 commits
  9. 23 Nov, 2012 1 commit
  10. 22 Nov, 2012 6 commits
  11. 21 Nov, 2012 1 commit
  12. 20 Nov, 2012 2 commits
  13. 19 Nov, 2012 1 commit
  14. 15 Nov, 2012 1 commit
  15. 29 Oct, 2012 1 commit
  16. 19 Oct, 2012 1 commit
  17. 18 Oct, 2012 3 commits
  18. 17 Oct, 2012 1 commit
  19. 16 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Fix Leap2A import from Moodle · 9748c636
      Hugh Davenport authored
      
      
      Related to bug #1047111
      
      That bug fixed the XXE attack by setting the following to true
       libxml_disable_entity_loader
      
      This caused issues with the leap2a importer used by mnet, which
      used the simplexml_load to load the xml which relies on file
      based remote entities. For this situation, a the following flag
      is used, which stops network based XXE attacks
       LIBXML_NONET
      
      Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      9748c636
  20. 15 Oct, 2012 4 commits
  21. 10 Oct, 2012 2 commits
    • Hugh Davenport's avatar
      Escape pieform errors displayed to users · c3fb9200
      Hugh Davenport authored
      
      
      Bug #1063480
      CVE-2012-2243
      
      If a user modifies a form in such as way that an error
      is caused based on their input there is a possible XSS
      avenue.
      
      This was displayed in the user/group CSV uploads, with
      a malicious script in the header which causes a CSV parsing
      error and was then passed back to the user verbatim.
      
      This patch escapes all error messages in the pieform error
      output.
      
      Change-Id: I136546266115faa92b727317d6539518d73aea55
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      c3fb9200
    • Hugh Davenport's avatar
      Escape user uploaded SVG files · 52e35d9d
      Hugh Davenport authored
      
      
      Bug #1061980
      CVE-2012-2247
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      Unfortunately, an SVG file can possibly contain unsecure content,
      such as javascript, that would be run on the victims browser.
      
      This patch adds SVG files (image/svg+xml) to the list of files
      to not display by default.
      
      Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      52e35d9d