1. 02 May, 2016 3 commits
  2. 01 May, 2016 1 commit
  3. 29 Apr, 2016 1 commit
    • PHP7 changes the type required for exception handler · ede1f0b9
      Bug 1575969. In PHP7 some errors throw an Error object (to
      the exception handler) instead of generating an error
      (handled by the error handler). The official way to make
      an exception handler that will work in PHP 5 & 7, is to
      leave off the parameter's type declaration.
      
      Change-Id: I5fc1c3765d5a311eb499d62915e676f8d9ee07a0
      behatnotneeded: Covered by existing tests
      (cherry picked from commit c3d7f4f6)
      Aaron Wells authored
  4. 28 Apr, 2016 1 commit
  5. 22 Apr, 2016 1 commit
  6. 21 Apr, 2016 2 commits
  7. 13 Apr, 2016 1 commit
    • Remove session.referer_check (Bug 1566366) · 90242956
      This setting kills your Mahara session whenever you navigate
      to Mahara from a link or redirect on another page. This totally
      prevents SAML and other redirect-based auth methods from working,
      makes it annoying to use links in email, and while it is mentioned
      on the PHP manual's "Securing Sessions" page, it's only
      recommended there if you also have "session.use_trans_id" enabled,
      which we do not.
      
      Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
      behatnotneeded: Can't be tested by behat
      (cherry picked from commit 91807920)
      (cherry picked from commit c9b8ff02)
      (cherry picked from commit bcdd15ea)
      Aaron Wells authored
  8. 05 Apr, 2016 1 commit
  9. 31 Mar, 2016 2 commits
  10. 30 Mar, 2016 1 commit
  11. 23 Mar, 2016 9 commits
  12. 22 Mar, 2016 1 commit
  13. 21 Mar, 2016 1 commit
    • Adding some HTTP headers for security (Bug 1531987) · ef64adaa
      X-XSS-Protection: Tells the browser not to disable XSS protection
      
      X-Content-Type-Options: Tells the browser not to try to guess at
      mimetypes of downloads
      
      X-Permitted-Cross-Domain-Policies: Tells Flash & PDF not to trust
      alternate crossdomain.xml files (which set the permissions on whether
      this site allows itself to be accessed by scripts in Flash & PDF).
      Prevents an attacker from uploading a more permissive crossdomain.xml
      
      X-Powered-By: PHP by default sends this header with the current full
      PHP version.
      
      behatnotneeded: Selenium can't examine HTTP response headers
      
      Change-Id: Ia2a6de971fc62b7d8806ad010aa0fbe37c1a7357
      (cherry picked from commit 29656f03)
      Aaron Wells authored
  14. 18 Mar, 2016 1 commit
  15. 16 Mar, 2016 1 commit
  16. 14 Mar, 2016 1 commit
    • Fix bug in xmlrpc + $cfg->usersuniquebyusername · d22c3042
      Bug 1556692: When used together, these can cause problems when
      the ID field from Moodle gets truncated to the default
      get_new_username() length of "30", when being inserted into
      usr.username in Mahara.
      
      behatnotneeded: Can't test Mnet in Behat
      
      Change-Id: Icdeb78b5298e7d63a0610987b0d8fad34e58d036
      Robert Lyon authored
  17. 08 Mar, 2016 1 commit
  18. 03 Mar, 2016 1 commit
  19. 10 Feb, 2016 1 commit
  20. 18 Dec, 2015 1 commit
  21. 11 Dec, 2015 2 commits
  22. 10 Dec, 2015 6 commits