1. 22 Apr, 2016 1 commit
  2. 21 Apr, 2016 2 commits
  3. 13 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Remove session.referer_check (Bug 1566366) · 90242956
      Aaron Wells authored
      This setting kills your Mahara session whenever you navigate
      to Mahara from a link or redirect on another page. This totally
      prevents SAML and other redirect-based auth methods from working,
      makes it annoying to use links in email, and while it is mentioned
      on the PHP manual's "Securing Sessions" page, it's only
      recommended there if you also have "session.use_trans_id" enabled,
      which we do not.
      Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
      behatnotneeded: Can't be tested by behat
      (cherry picked from commit 91807920)
      (cherry picked from commit c9b8ff02)
      (cherry picked from commit bcdd15ea)
  4. 05 Apr, 2016 1 commit
  5. 31 Mar, 2016 2 commits
  6. 30 Mar, 2016 1 commit
  7. 23 Mar, 2016 9 commits
  8. 22 Mar, 2016 1 commit
  9. 21 Mar, 2016 1 commit
    • Aaron Wells's avatar
      Adding some HTTP headers for security (Bug 1531987) · ef64adaa
      Aaron Wells authored
      X-XSS-Protection: Tells the browser not to disable XSS protection
      X-Content-Type-Options: Tells the browser not to try to guess at
      mimetypes of downloads
      X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
      alternate crossdomain.xml files (which set the permissions on whether
      this site allows itself to be accessed by scripts in Flash & PDF).
      Prevents an attacker from uploading a more permissive crossdomain.xml
      X-Powered-By: PHP by default sends this header with the current full
      PHP version.
      behatnotneeded: Selenium can't examine HTTP response headers
      Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
      (cherry picked from commit 29656f03)
  10. 18 Mar, 2016 1 commit
    • Aaron Wells's avatar
      Use $CFG->cacheversion for HTMLPurifier cache version · 1c654e04
      Aaron Wells authored
      Bug 1558387
      With this, we don't have to remember to bump HTML.DefinitionRev in
      html_clean(), or clear the htmlpurifier directory in dataroot.
      behatnotneeded: API change only
      Change-Id: I15cd291fd8e5d7d5c357f1595a89f34f44236e7d
  11. 16 Mar, 2016 1 commit
  12. 14 Mar, 2016 1 commit
    • Robert Lyon's avatar
      Fix bug in xmlrpc + $cfg->usersuniquebyusername · d22c3042
      Robert Lyon authored
      Bug 1556692: When used together, these can cause problems when
      the ID field from Moodle gets truncated to the default
      get_new_username() length of "30", when being inserted into
      usr.username in Mahara.
      behatnotneeded: Can't test Mnet in Behat
      Change-Id: Icdeb78b5298e7d63a0610987b0d8fad34e58d036
  13. 08 Mar, 2016 1 commit
  14. 03 Mar, 2016 1 commit
  15. 10 Feb, 2016 1 commit
  16. 18 Dec, 2015 1 commit
  17. 11 Dec, 2015 2 commits
  18. 10 Dec, 2015 6 commits
  19. 30 Nov, 2015 1 commit
    • Aaron Wells's avatar
      Make get_record warn instead of dying, by default · 59b55846
      Aaron Wells authored
      Bug 1515929: Usually when we use get_record(), we're
      querying against a record that has a uniqueness constraint
      guaranteeing that it is unique, in which case the PHP
      code that dies on non-uniqueness is redundant.
      In the remaining cases, we're dealing with records
      that for some reason can't have a uniqueness constraint,
      and the dying just causes the site to entirely stop
      working, when it would be more useful to have it continue
      to work but throw a warning message to the logs.
      behatnotneeded: Covered by existing test cases
      Change-Id: I264f72e3a8904293d78909410f68b29f2c78db3c
  20. 26 Nov, 2015 3 commits
  21. 25 Nov, 2015 2 commits