1. 15 Jan, 2013 1 commit
    • Ali Kaye's avatar
      Bug #1097564 Include contact information · 731e8115
      Ali Kaye authored
      
      
      Modified mahara.php and lib.php so that when
       a user with an expired account tries to log in
      they are told 'Sorry, your account has expired.
      You can contact the site administrator to have
      the account reactivated,' with a link to the
      'Contact Us' page.
      
      Change-Id: I6b461d40e37a88ac513649a1d4a6d83c5d3711a4
      Signed-off-by: default avatarAli Kaye <alexandrakaye.student@wegc.school.nz>
      731e8115
  2. 14 Dec, 2012 1 commit
  3. 13 Dec, 2012 1 commit
  4. 12 Dec, 2012 1 commit
  5. 30 Nov, 2012 2 commits
  6. 28 Nov, 2012 1 commit
    • Francois Marier's avatar
      Explicitly set the default SSL_VERIFYHOST value · 4d6937da
      Francois Marier authored
      
      
      The default value is 2 in most versions of PHP so this change
      should have no effect.
      
      However, if it were set to anything else than that, the certificate
      verification would be meaningless since you could create a MITM
      attack easily by swapping in a valid cert for any hostname.
      
      Change-Id: I86156bad43507d9393f06b1f821a050e720b353f
      Signed-off-by: default avatarFrancois Marier <francois@mozilla.com>
      4d6937da
  7. 27 Nov, 2012 1 commit
  8. 22 Nov, 2012 1 commit
    • Hugh Davenport's avatar
      Bug #1079498: Fix XSS in pagination URL · 96278d74
      Hugh Davenport authored
      Currently, the url of a pagination (used for the prev/next links as
      well as the numbered pages, and also the POST action in the form tag
      used for selecting a variable limit, added in the commit listed below)
      was not santized on output. This was discovered from the group member
      search page which passed in the query as a GET paramter in the URL for
      the pages. This uses slightly different code to some of the newer
      paginations, but it may affect other places that use similar era
      pagination setup.
      
      The commit introducing the new selector for a variable limit was
       f3162f80
      
      
      
      This patch fixes this by sanitizing the url on output, in both the form
      tag and the prev/next and numbered links.
      
      CVE-2012-2253
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      Change-Id: Id9ed08ef5e61b12580e28f4b18975b2c409b594d
      96278d74
  9. 21 Nov, 2012 1 commit
  10. 20 Nov, 2012 2 commits
  11. 19 Nov, 2012 1 commit
  12. 15 Nov, 2012 1 commit
  13. 18 Oct, 2012 1 commit
  14. 17 Oct, 2012 1 commit
  15. 16 Oct, 2012 1 commit
    • Hugh Davenport's avatar
      Fix Leap2A import from Moodle · 9748c636
      Hugh Davenport authored
      
      
      Related to bug #1047111
      
      That bug fixed the XXE attack by setting the following to true
       libxml_disable_entity_loader
      
      This caused issues with the leap2a importer used by mnet, which
      used the simplexml_load to load the xml which relies on file
      based remote entities. For this situation, a the following flag
      is used, which stops network based XXE attacks
       LIBXML_NONET
      
      Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      9748c636
  16. 15 Oct, 2012 3 commits
  17. 10 Oct, 2012 8 commits
    • Hugh Davenport's avatar
      Escape pieform errors displayed to users · c3fb9200
      Hugh Davenport authored
      
      
      Bug #1063480
      CVE-2012-2243
      
      If a user modifies a form in such as way that an error
      is caused based on their input there is a possible XSS
      avenue.
      
      This was displayed in the user/group CSV uploads, with
      a malicious script in the header which causes a CSV parsing
      error and was then passed back to the user verbatim.
      
      This patch escapes all error messages in the pieform error
      output.
      
      Change-Id: I136546266115faa92b727317d6539518d73aea55
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      c3fb9200
    • Hugh Davenport's avatar
      Escape user uploaded SVG files · 52e35d9d
      Hugh Davenport authored
      
      
      Bug #1061980
      CVE-2012-2247
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      Unfortunately, an SVG file can possibly contain unsecure content,
      such as javascript, that would be run on the victims browser.
      
      This patch adds SVG files (image/svg+xml) to the list of files
      to not display by default.
      
      Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      52e35d9d
    • Hugh Davenport's avatar
      Fix Click-Jacking attack on account deletion page · b480b81a
      Hugh Davenport authored
      
      
      This attack has been mitigated by adding a HTTP header
      of X-Frame-Options to every page in Mahara.
      
      Bug #1057240
      CVE-2012-2246
      
      Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      b480b81a
    • Hugh Davenport's avatar
      Fix up old file permissions to remove executable · f964a327
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      In previous versions of mahara, all the user uploaded files
      had the executable bit set. This patch runs an upgrade script
      to remove this executable bit.
      
      Change-Id: If4a3f5876f34bd2d38ff9edcd96b234271c2d1f6
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      f964a327
    • Hugh Davenport's avatar
      Escape user uploaded XHTML files · 26c5cf07
      Hugh Davenport authored
      
      
      Bug #1055232
      CVE-2012-2243
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      This did not include XHTML files, which can cause the same
      security issues as HTML or XML files. This patch includes the
      XHTML mimetype of application/xhtml+xml in the test of which
      files to escape.
      
      Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      26c5cf07
    • Hugh Davenport's avatar
      Fix saved file permissions · e85c165f
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      Currently, files that are saved by Mahara use the
      directorypermissions config option, which defaults to
      0700, which allows execution.
      
      This allows users to potentially upload files with
      executable bits set, and if they have control of the
      config options pathtoclam, pathtozip, or pathtounzip
      then they could run this command when one of those
      commands are invocated.
      
      This patch bitwise-AND's the directory permissions
      config with 0666, which removes any executable bit
      and sets the result as a new config option
      filepermissions.
      
      A change the upload code to use this new option is made
      
      Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      e85c165f
    • Hugh Davenport's avatar
      Remove clamav from site admin options · 2de4e22a
      Hugh Davenport authored
      
      
      Bug #1057238
      CVE-2012-2244
      
      When a site administrator can manipulate the path for the
      clamav scanner, they could produce either a reverse shell,
      or allow any user to execute arbitrary remote commands by
      setting it to an uploaded reverse shell, or to /bin/bash
      respectively.
      
      Other executable paths, namely pathtozip, and pathtounzip
      are only set via config.php, and not through the site admin
      interface. This option, pathtoclam, should follow the same
      design.
      
      Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      2de4e22a
    • Melissa Draper's avatar
      Fix regression with mobile upload token (Bug #1057878) · c73233ef
      Melissa Draper authored
      
      
      New users were getting a token of "Array" set by default
      when their settings were populated. It was useless.
      
      Tokens were not being updated on the website. This was
      due to changes in the api which required the old token
      be passed when refreshing happened, and it was not
      being passed in the json reply.
      
      Change-Id: Ie8425e439b0b59134825c7922cfa887e7ad49c8b
      Signed-off-by: default avatarMelissa Draper <melissa@catalyst.net.nz>
      c73233ef
  18. 05 Oct, 2012 1 commit
  19. 03 Oct, 2012 2 commits
  20. 27 Sep, 2012 3 commits
  21. 25 Sep, 2012 1 commit
    • Hugh Davenport's avatar
      Add option to disable device detection · 109eb4a5
      Hugh Davenport authored
      
      
      Also add a few theme changes that allow some more
      features on small devices.
      - Printing links
      - Settings link in top right corner
      - Create/copy page/collection link
      - Edit/delete buttons
      - Remove group members button
      - Help icons
      - Administration link
      
      Also made the admin link show in full
      
      The items that are disabled when device detection is on
      and user is on a mobile device are:
      - TinyMCE editor
      - Adding new blocks to pages, this is now a non-js version
      - Dropdown menu's
      - Export functionality
      
      Bug #1052060
      
      Change-Id: I5a8fe3cf136bb0c3e76e50a2b3bc48179c675b6a
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      109eb4a5
  22. 24 Sep, 2012 1 commit
  23. 23 Sep, 2012 1 commit
    • Hugh Davenport's avatar
      Fix width of responsive menu (Bug #1052071) · 44e8326b
      Hugh Davenport authored
      
      
      The width was created as the combined width of all the
      submenu's, which have different widths dependant on size
      of screen.
      
      In CSS, there is a cutover at 600px (a media query), so
      this JS code to take elements off etc, should have the
      same cutover width.
      
      Change-Id: Ibe71db1bee73e70960740ebcb7a1bb1a3179e436
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      44e8326b
  24. 21 Sep, 2012 1 commit
  25. 20 Sep, 2012 1 commit
  26. 19 Sep, 2012 1 commit