mahara-contributors team mailing list archive

Thread
Date

[Bug 1082416] Re: XMLRPC with Firefox 17.0 not possible

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Gerv <1082416@xxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Nov 2012 10:23:17 -0000
Reply-to: Bug 1082416 <1082416@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Perhaps it might be worth stepping back for a moment and asking what
security value there is in checking that Moodle and Mahara receive the
same User Agent string? Given that this string can be spoofed either by
the user agent itself or by a proxy, so that it can be made to match or
not match as a malicious actor requires, there is no value in checking
it.

So I suggest that you implement all the solutions; i.e.:

a) Patch Moodle/MNET to work around the issue
b) Patch Mahara not to do the check

The Moodle and Mahara communities together will need to work out what
they want us to do in terms of removing, or not, the workaround in
Firefox.

Gerv

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1082416

Title:
  XMLRPC with Firefox 17.0 not possible

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Since the release of Firefox 17.0 MNET SSO from Moodle to Mahara is
  broken. Works fine with Firefox <17, Chrome and IE9.

  Error:
  Sorry, we could not log you in.
  Sorry, we could not log you into Mahara - HTL-Perg at this time. Please try again shortly. If the problem persists, contact your administrator.

  Apache-Error-Log:
  [Fri Nov 23 16:11:11 2012] [error] [client 10.114.57.20] [WAR] 37 (api/xmlrpc/client.php:173) Unknown error occurred: 1: Kein Zugang: Die MNET-Session gibt es nicht!, referer: https://<moodle>
  [Fri Nov 23 16:11:11 2012] [error] [client 10.114.57.20] Call stack (most recent first):, referer: https://<moodle>
  [Fri Nov 23 16:11:11 2012] [error] [client 10.114.57.20]   * Client->send("https://<moodle>") at /var/www/auth/xmlrpc/lib.php:119, referer: https://<moodle>
  [Fri Nov 23 16:11:11 2012] [error] [client 10.114.57.20]   * AuthXmlrpc->request_user_authorise("0860ab7ac0c65ff69c42f6f899f550d3cc5c82f1", "https://<moodle>") at /var/www/auth/xmlrpc/land.php:94, referer: https://<moodle>
  [Fri Nov 23 16:11:11 2012] [error] [client 10.114.57.20] , referer: https://<moodle>

  Translation for: "Kein Zugang: Die MNET-Session gibt es nicht!", ->
  "No access; The MNET-Session does not exist!"

  Tried with Mahara 1.6.1 & 1.6.2 on Ubuntu 12.04.1.
  This bug is reproducible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1082416/+subscriptions

References

[Bug 1082416] [NEW] XMLRPC with Firefox 17.0 not possible
From: Werner Schöller, 2012-11-23