Related to bug #1047111

That bug fixed the XXE attack by setting the following to true
 libxml_disable_entity_loader

This caused issues with the leap2a importer used by mnet, which
used the simplexml_load to load the xml which relies on file
based remote entities. For this situation, a the following flag
is used, which stops network based XXE attacks
 LIBXML_NONET

Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1063480
CVE-2012-2243

If a user modifies a form in such as way that an error
is caused based on their input there is a possible XSS
avenue.

This was displayed in the user/group CSV uploads, with
a malicious script in the header which causes a CSV parsing
error and was then passed back to the user verbatim.

This patch escapes all error messages in the pieform error
output.

Change-Id: I136546266115faa92b727317d6539518d73aea55
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1061980
CVE-2012-2247

Before this patch, if a user uploaded HTML or XML files
then tried to download them, or linked other users to download
them, they would be presented with an escaped version along
with a link to download the original.

Unfortunately, an SVG file can possibly contain unsecure content,
such as javascript, that would be run on the victims browser.

This patch adds SVG files (image/svg+xml) to the list of files
to not display by default.

Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

This attack has been mitigated by adding a HTTP header
of X-Frame-Options to every page in Mahara.

Bug #1057240
CVE-2012-2246

Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1057238
CVE-2012-2244

In previous versions of mahara, all the user uploaded files
had the executable bit set. This patch runs an upgrade script
to remove this executable bit.

Change-Id: If4a3f5876f34bd2d38ff9edcd96b234271c2d1f6
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1055232
CVE-2012-2243

Before this patch, if a user uploaded HTML or XML files
then tried to download them, or linked other users to download
them, they would be presented with an escaped version along
with a link to download the original.

This did not include XHTML files, which can cause the same
security issues as HTML or XML files. This patch includes the
XHTML mimetype of application/xhtml+xml in the test of which
files to escape.

Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1057238
CVE-2012-2244

Currently, files that are saved by Mahara use the
directorypermissions config option, which defaults to
0700, which allows execution.

This allows users to potentially upload files with
executable bits set, and if they have control of the
config options pathtoclam, pathtozip, or pathtounzip
then they could run this command when one of those
commands are invocated.

This patch bitwise-AND's the directory permissions
config with 0666, which removes any executable bit
and sets the result as a new config option
filepermissions.

A change the upload code to use this new option is made

Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1057238
CVE-2012-2244

When a site administrator can manipulate the path for the
clamav scanner, they could produce either a reverse shell,
or allow any user to execute arbitrary remote commands by
setting it to an uploaded reverse shell, or to /bin/bash
respectively.

Other executable paths, namely pathtozip, and pathtounzip
are only set via config.php, and not through the site admin
interface. This option, pathtoclam, should follow the same
design.

Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

New users were getting a token of "Array" set by default
when their settings were populated. It was useless.

Tokens were not being updated on the website. This was
due to changes in the api which required the old token
be passed when refreshing happened, and it was not
being passed in the json reply.

Change-Id: Ie8425e439b0b59134825c7922cfa887e7ad49c8b
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

on /view/acces.php and /view/share.php

Change-Id: I5d562b3cedbc2aa2521272162ed47dd49f118f47
Signed-off-by: Kristina D.C. Hoeppner <kristina@catalyst.net.nz>

When switch from 'Group files' to 'My files' in file browser, fix the
'editmeta' config value.


Change-Id: Ib559e26231f29b24fd18c9e5a40531bc20c59ee4
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Change-Id: I9719e22d2f99caee51590a8deb1293b19f011981
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

#1057226)

Before get the user's account preferences, make sure Mahara site has
been installed.

Change-Id: I49c8b12d5ed0b88c5856488ac9a11500c0cd6824
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Bug #1055908

Change-Id: Id35ccb7eea03318070cb957559fc9726777524b4
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Also add a few theme changes that allow some more
features on small devices.
- Printing links
- Settings link in top right corner
- Create/copy page/collection link
- Edit/delete buttons
- Remove group members button
- Help icons
- Administration link

Also made the admin link show in full

The items that are disabled when device detection is on
and user is on a mobile device are:
- TinyMCE editor
- Adding new blocks to pages, this is now a non-js version
- Dropdown menu's
- Export functionality

Bug #1052060

Change-Id: I5a8fe3cf136bb0c3e76e50a2b3bc48179c675b6a
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Bug #1055239

Change-Id: I021fd76ea0e967e3d7a634b46e4e0212c4c9704c
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

The width was created as the combined width of all the
submenu's, which have different widths dependant on size
of screen.

In CSS, there is a cutover at 600px (a media query), so
this JS code to take elements off etc, should have the
same cutover width.

Change-Id: Ibe71db1bee73e70960740ebcb7a1bb1a3179e436
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

- On responsive theme, the "TABS" menu only dropped down on
  then arrow, not the title
- Fix issues with the tagged posts block

Change-Id: I7ed8af10975c641190f301edcce2d50832bccfad
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

The fullstop ran right into the link, add a space if there is a link

Change-Id: I9b72d2cc109b891b3baa93d0791b71cb21927c23
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

This reverts commit 303409a1.

This reverts commit c416b976.

Change-Id: I56d983658fcf3ceb64b45657ace446276177abf5

Bug #1052060

Change-Id: I5a8fe3cf136bb0c3e76e50a2b3bc48179c675b6a
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Change-Id: I58aa9833025de37e1970c16b67f4c3bc14cf17d4
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

When not in a block (ie viewing one individual artefact) the
blockid was appended to the container, this should be removed
when not in block context

Change-Id: I7c131b761ee8c1006164eb6c918bb67b5e785171
Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

The licence was updated by upstream, but there were functional changes
to the library between our last update of it and the licence fix, which
we did not include soon enough for adequate testing.

The upstream fix: https://github.com/pear/Image_Canvas/commit/99d4e285c



Change-Id: I305775009c3c226da40cc32194b792295f139566
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>

(bug #1025135)

Add new lang string: 'duplicatepagetitle'
Make more room of the progress bar for long messages.
This change does not affect the current responsive themes.
All themes are still responsive after apply this patch.

Change-Id: I920378dda2fe41577ded745bf047db098109964b
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

Change-Id: I1b67268996515858a797e54adfff6d6fb6cafc9c
Signed-off-by: Melissa Draper <melissa@catalyst.net.nz>