mahara-contributors team mailing list archive

Thread
Date

[Bug 1047111] Re: XEE possible in mahara

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Melissa Draper <melissa@xxxxxxxxxxxxx>
Date: Fri, 14 Sep 2012 01:49:59 -0000
Reply-to: Bug 1047111 <1047111@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Patch added: "xmlsecbug-12.patch"
   https://bugs.launchpad.net/mahara/+bug/1047111/+attachment/3313737/+files/xmlsecbug-12.patch

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1047111

Title:
  XEE possible in mahara

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 1.4 series:
  Fix Released
Status in Mahara 1.5 series:
  Fix Released

Bug description:
  libxml_disable_entity_loader(true) is never called in mahara, which
  means that xml functionalities are vulnerable to
  http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities

  can be fixed by adding libxml_disable_entity_loader(true) in init.

  Reported by Mike Haworth.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions