mahara-contributors team mailing list archive

[Melissa Draper <melissa@xxxxxxxxxxxxx>]

The final fixes for this bug are as follows:

1.4: https://reviews.mahara.org/#/c/1668/
1.5: https://reviews.mahara.org/#/c/1669/
1.6: https://reviews.mahara.org/#/c/1670/

** Also affects: mahara/1.4
   Importance: Undecided
       Status: New

** Also affects: mahara/1.5
   Importance: Undecided
       Status: New

** Changed in: mahara/1.4
       Status: New => Fix Released

** Changed in: mahara/1.5
       Status: New => Fix Released

** Changed in: mahara/1.4
     Assignee: (unassigned) => Hugh Davenport (hugh-catalyst)

** Changed in: mahara/1.5
     Assignee: (unassigned) => Hugh Davenport (hugh-catalyst)

** Changed in: mahara/1.4
    Milestone: None => 1.4.4

** Changed in: mahara/1.5
    Milestone: None => 1.5.3

** Visibility changed to: Public

** Changed in: mahara/1.4
   Importance: Undecided => Critical

** Changed in: mahara/1.5
   Importance: Undecided => Critical

** Patch added: "xmlsecbug-13.patch"
   https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3313736/+files/xmlsecbug-13.patch

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1047111

Title:
  XEE possible in mahara

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 1.4 series:
  Fix Released
Status in Mahara 1.5 series:
  Fix Released

Bug description:
  libxml_disable_entity_loader(true) is never called in mahara, which
  means that xml functionalities are vulnerable to
  http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities

  can be fixed by adding libxml_disable_entity_loader(true) in init.

  Reported by Mike Haworth.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions