mahara-contributors team mailing list archive

Thread
Date

[Bug 772140] Re: Information disclosure in my friends pagination script

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Richard Mansfield <772140@xxxxxxxxxxxxxxxxxx>
Date: Tue, 10 May 2011 02:18:44 -0000
Reply-to: Bug 772140 <772140@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/772140

Title:
  Information disclosure in my friends pagination script

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.3 series:
  Fix Released

Bug description:
  There are three problems with this script:
  1. It takes a block id, but doesn't check that the logged-in user is allowed to see the view that the block appears in.
  2. It takes a user id, and doesn't check that the user id matches the id of the view owner.
  3. It returns a list of friends with too much information; it should only return the html to replace the block content.

  Does not affect Mahara 1.2 (there was no friends block pagination).