1. 05 May, 2016 1 commit
    • Aaron Wells's avatar
      Escape double-quotes in filname, in Content-Disposition header · d84ee5d6
      Aaron Wells authored
      Bug 1578512: As specified in RFC 6266, the filename is a
      "quoted-string", and as specified in RFC 2616 double quotes
      within a quoted-string should be escaped with a backslash.
      
      Change-Id: Id9d069a976406a82a6f0b6db92c696f700e00469
      behatnotneeded: Can't test file uploads in behat yet
      (cherry picked from commit aa8c6760)
      d84ee5d6
  2. 31 Mar, 2016 1 commit
    • Aaron Wells's avatar
      Allow byteranges all the time · 3603d59b
      Aaron Wells authored
      Bug 1397131: iOS needs byte ranges for media files.
      We have some very old code that prohibits byte ranges
      when cacheing is disabled, which in turn is inherited
      from some very old code in Moodle. But it doesn't
      appear to be actually necessary to *ever* prohibit
      byte ranges.
      
      behatnotneeded: Can't be tested in Behat
      
      Change-Id: Id3bba20305204f87cee50ec664893f53cfb2337e
      3603d59b
  3. 12 Aug, 2015 1 commit
    • Aaron Wells's avatar
      Typo in regex (bug 1484296) · 486c747e
      Aaron Wells authored
      Change-Id: Ic8810e0a46c690a7c0afe438950ca2e263504dfd
      behatnotneeded: Currently can't test leap2a import/export in Behat
      486c747e
  4. 07 Aug, 2015 1 commit
  5. 06 Jul, 2015 1 commit
  6. 15 Jun, 2015 1 commit
  7. 07 Jan, 2015 1 commit
  8. 03 Dec, 2014 1 commit
  9. 04 Jun, 2014 1 commit
  10. 08 Apr, 2014 1 commit
  11. 02 Apr, 2014 6 commits
  12. 14 Oct, 2013 1 commit
  13. 03 Feb, 2013 1 commit
  14. 10 Oct, 2012 3 commits
    • Hugh Davenport's avatar
      Escape user uploaded SVG files · 52e35d9d
      Hugh Davenport authored
      Bug #1061980
      CVE-2012-2247
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      Unfortunately, an SVG file can possibly contain unsecure content,
      such as javascript, that would be run on the victims browser.
      
      This patch adds SVG files (image/svg+xml) to the list of files
      to not display by default.
      
      Change-Id: I56e7c9d2a7d8de03b5b3be31f0ac44198547ea09
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      52e35d9d
    • Hugh Davenport's avatar
      Escape user uploaded XHTML files · 26c5cf07
      Hugh Davenport authored
      Bug #1055232
      CVE-2012-2243
      
      Before this patch, if a user uploaded HTML or XML files
      then tried to download them, or linked other users to download
      them, they would be presented with an escaped version along
      with a link to download the original.
      
      This did not include XHTML files, which can cause the same
      security issues as HTML or XML files. This patch includes the
      XHTML mimetype of application/xhtml+xml in the test of which
      files to escape.
      
      Change-Id: Iffb8308fdb56a173fd4af2bbda800999dd11fea3
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      26c5cf07
    • Hugh Davenport's avatar
      Fix saved file permissions · e85c165f
      Hugh Davenport authored
      Bug #1057238
      CVE-2012-2244
      
      Currently, files that are saved by Mahara use the
      directorypermissions config option, which defaults to
      0700, which allows execution.
      
      This allows users to potentially upload files with
      executable bits set, and if they have control of the
      config options pathtoclam, pathtozip, or pathtounzip
      then they could run this command when one of those
      commands are invocated.
      
      This patch bitwise-AND's the directory permissions
      config with 0666, which removes any executable bit
      and sets the result as a new config option
      filepermissions.
      
      A change the upload code to use this new option is made
      
      Change-Id: I088d9873de7797d5a9aefc2401301f8b855ed592
      Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
      e85c165f
  15. 03 Jan, 2012 1 commit
  16. 25 Nov, 2011 1 commit
  17. 18 Nov, 2011 1 commit
    • Melissa Draper's avatar
      Trim directory names before they are made (bug #813905) · ff3fd0e4
      Melissa Draper authored
      There are several places in the code where we make directories
      for stuff, both in the filesystem and in the artefacts table.
      If they have trailing spaces, then this can mess up users html
      exports etc. This patch should make exports safe for existing
      folders with whitespace at the end, and prevent new folders from
      from being made with the problem.
      
      Change-Id: Ia593f7f773e5ffe91ce74e8a736074b1fe1026b2
      Signed-off-by: default avatarMelissa Draper <melissa@catalyst.net.nz>
      ff3fd0e4
  18. 03 Nov, 2011 1 commit
  19. 16 Sep, 2011 1 commit
  20. 13 Sep, 2011 1 commit
  21. 02 Sep, 2011 1 commit
  22. 24 Aug, 2011 1 commit
  23. 12 Jul, 2011 1 commit
  24. 13 May, 2011 1 commit
  25. 11 May, 2011 2 commits
  26. 03 May, 2011 1 commit
  27. 11 Feb, 2011 1 commit
  28. 14 Jul, 2010 2 commits
  29. 04 Feb, 2010 1 commit
  30. 23 Dec, 2009 1 commit
  31. 27 Oct, 2009 1 commit