1. 02 Apr, 2014 2 commits
  2. 10 Oct, 2012 3 commits
    • Hugh Davenport's avatar
      Escape user uploaded SVG files · 228a48da
      Hugh Davenport authored
      Bug #1061980
      CVE-2012-2247
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      Unfortunately, an SVG file can possibly contain unsecure content,
      such as javascript, that would be run on the victims browser.
      
      This patch adds SVG files (image/svg+xml) to the list of files
      to not display by default.
      
      Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      228a48da
    • Hugh Davenport's avatar
      Escape user uploaded XHTML files · 4068b7a8
      Hugh Davenport authored
      Bug #1055232
      CVE-2012-2243
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      This did not include XHTML files, which can cause the same
      security issues as HTML or XML files. This patch includes the
      XHTML mimetype of application/xhtml+xml in the test of which
      files to escape.
      
      Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      4068b7a8
    • Hugh Davenport's avatar
      Fix saved file permissions · 2e80c7db
      Hugh Davenport authored
      Bug #1057238
      CVE-2012-2244
      
      Currently, files that are saved by Mahara use the
      directorypermissions config option, which defaults to
      0700, which allows execution.
      
      This allows users to potentially upload files with
      executable bits set, and if they have control of the
      config options pathtoclam, pathtozip, or pathtounzip
      then they could run this command when one of those
      commands are invocated.
      
      This patch bitwise-AND's the directory permissions
      config with 0666, which removes any executable bit
      and sets the result as a new config option
      filepermissions.
      
      A change the upload code to use this new option is made
      
      Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      2e80c7db
  3. 03 Jan, 2012 1 commit
  4. 25 Nov, 2011 1 commit
  5. 18 Nov, 2011 1 commit
    • Melissa Draper's avatar
      Trim directory names before they are made (bug #813905) · ff3fd0e4
      Melissa Draper authored
      There are several places in the code where we make directories
      for stuff, both in the filesystem and in the artefacts table.
      If they have trailing spaces, then this can mess up users html
      exports etc. This patch should make exports safe for existing
      folders with whitespace at the end, and prevent new folders from
      from being made with the problem.
      
      Change-Id: Ia593f7f773e5ffe91ce74e8a736074b1fe1026b2
      Signed-off-by: default avatarMelissa Draper <melissa@catalyst.net.nz>
      ff3fd0e4
  6. 03 Nov, 2011 1 commit
  7. 16 Sep, 2011 1 commit
  8. 13 Sep, 2011 1 commit
  9. 02 Sep, 2011 1 commit
  10. 24 Aug, 2011 1 commit
  11. 12 Jul, 2011 1 commit
  12. 13 May, 2011 1 commit
  13. 11 May, 2011 2 commits
  14. 03 May, 2011 1 commit
  15. 11 Feb, 2011 1 commit
  16. 14 Jul, 2010 2 commits
  17. 04 Feb, 2010 1 commit
  18. 23 Dec, 2009 1 commit
  19. 27 Oct, 2009 2 commits
  20. 15 Sep, 2009 1 commit
  21. 14 Sep, 2009 1 commit
  22. 11 Jun, 2009 1 commit
  23. 05 May, 2009 1 commit
  24. 04 May, 2009 1 commit
  25. 21 Apr, 2009 1 commit
  26. 13 Feb, 2009 1 commit
  27. 16 Oct, 2008 1 commit
  28. 27 Feb, 2008 1 commit
  29. 18 Feb, 2008 1 commit
  30. 14 Jan, 2008 3 commits
  31. 14 Dec, 2007 1 commit
  32. 04 Dec, 2007 1 commit