mahara-contributors team mailing list archive

Thread
Date

[Bug 1009774] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1009774@xxxxxxxxxxxxxxxxxx>
Date: Tue, 31 Jul 2012 07:02:44 -0000
Reply-to: Bug 1009774 <1009774@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/1460
Committed: http://gitorious.org/mahara/mahara/commit/e47eea0381645be217c516a43411e4998e70c404
Submitter: Hugh Davenport (hugh@xxxxxxxxxxxxxxx)
Branch:    master

commit e47eea0381645be217c516a43411e4998e70c404
Author: Melissa Draper <melissa@xxxxxxxxxxxxxxx>
Date:   Mon Jul 9 14:25:03 2012 +1200

    Sanitize links in links and resources menu (bug #1009774)
    
    Links placed in the links and resources list have not been getting
    checked and so have been displayed unfiltered to users and other
    admins. These user-supplied links are now checked with sanitize_url
    which has been extended to convert relative links to absolute.
    
    Change-Id: I679627c4e33621df82705c39e77e7226ffef5a97
    Signed-off-by: Melissa Draper <melissa@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1009774

Title:
  Links & resources urls are unsanitised

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  Discovered by Emanuel Bronshtein. Present in all versions, requires an
  admin account.

   Configure site -> Menus -> Add External Link:
   http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/site/menu.php
   Add new Link:
   Name: XSS
   Linked to: javascript:alert(location)
   click "Add".
   ...
   fix: Allow only whitelisted protocols (http,https,mailto).

  
  The sanitize_url function should be used for this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1009774/+subscriptions