1. 02 May, 2016 1 commit
  2. 01 May, 2016 1 commit
  3. 29 Apr, 2016 1 commit
    • Aaron Wells's avatar
      PHP7 changes the type required for exception handler · ede1f0b9
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      Bug 1575969. In PHP7 some errors throw an Error object (to
      the exception handler) instead of generating an error
      (handled by the error handler). The official way to make
      an exception handler that will work in PHP 5 & 7, is to
      leave off the parameter's type declaration.
      Change-Id: I5fc1c3765d5a311eb499d62915e676f8d9ee07a0
      behatnotneeded: Covered by existing tests
      (cherry picked from commit c3d7f4f6)
  4. 28 Apr, 2016 1 commit
  5. 22 Apr, 2016 1 commit
  6. 21 Apr, 2016 2 commits
  7. 13 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Remove session.referer_check (Bug 1566366) · 90242956
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      This setting kills your Mahara session whenever you navigate
      to Mahara from a link or redirect on another page. This totally
      prevents SAML and other redirect-based auth methods from working,
      makes it annoying to use links in email, and while it is mentioned
      on the PHP manual's "Securing Sessions" page, it's only
      recommended there if you also have "session.use_trans_id" enabled,
      which we do not.
      Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
      behatnotneeded: Can't be tested by behat
      (cherry picked from commit 91807920)
      (cherry picked from commit c9b8ff02)
      (cherry picked from commit bcdd15ea)
  8. 05 Apr, 2016 1 commit
  9. 31 Mar, 2016 2 commits
  10. 30 Mar, 2016 1 commit
  11. 23 Mar, 2016 9 commits
  12. 22 Mar, 2016 1 commit
  13. 21 Mar, 2016 1 commit
    • Aaron Wells's avatar
      Adding some HTTP headers for security (Bug 1531987) · ef64adaa
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      X-XSS-Protection: Tells the browser not to disable XSS protection
      X-Content-Type-Options: Tells the browser not to try to guess at
      mimetypes of downloads
      X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
      alternate crossdomain.xml files (which set the permissions on whether
      this site allows itself to be accessed by scripts in Flash & PDF).
      Prevents an attacker from uploading a more permissive crossdomain.xml
      X-Powered-By: PHP by default sends this header with the current full
      PHP version.
      behatnotneeded: Selenium can't examine HTTP response headers
      Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
      (cherry picked from commit 29656f03)
  14. 18 Mar, 2016 1 commit
    • Aaron Wells's avatar
      Use $CFG->cacheversion for HTMLPurifier cache version · 1c654e04
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      Bug 1558387
      With this, we don't have to remember to bump HTML.DefinitionRev in
      html_clean(), or clear the htmlpurifier directory in dataroot.
      behatnotneeded: API change only
      Change-Id: I15cd291fd8e5d7d5c357f1595a89f34f44236e7d
  15. 16 Mar, 2016 1 commit
  16. 14 Mar, 2016 1 commit
    • Robert Lyon's avatar
      Fix bug in xmlrpc + $cfg->usersuniquebyusername · d22c3042
      Robert Lyon authored
      Bug 1556692: When used together, these can cause problems when
      the ID field from Moodle gets truncated to the default
      get_new_username() length of "30", when being inserted into
      usr.username in Mahara.
      behatnotneeded: Can't test Mnet in Behat
      Change-Id: Icdeb78b5298e7d63a0610987b0d8fad34e58d036
  17. 08 Mar, 2016 1 commit
  18. 03 Mar, 2016 1 commit
  19. 10 Feb, 2016 1 commit
  20. 18 Dec, 2015 1 commit
  21. 11 Dec, 2015 2 commits
  22. 10 Dec, 2015 6 commits
  23. 30 Nov, 2015 1 commit
    • Aaron Wells's avatar
      Make get_record warn instead of dying, by default · 59b55846
      Aaron Wells authored
      Bug 1515929: Usually when we use get_record(), we're
      querying against a record that has a uniqueness constraint
      guaranteeing that it is unique, in which case the PHP
      code that dies on non-uniqueness is redundant.
      In the remaining cases, we're dealing with records
      that for some reason can't have a uniqueness constraint,
      and the dying just causes the site to entirely stop
      working, when it would be more useful to have it continue
      to work but throw a warning message to the logs.
      behatnotneeded: Covered by existing test cases
      Change-Id: I264f72e3a8904293d78909410f68b29f2c78db3c
  24. 26 Nov, 2015 1 commit