mahara-contributors team mailing list archive

[Kristina Hoeppner <1384481@xxxxxxxxxxxxxxxxxx>]

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8692

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1384481

Title:
  Minor version number displayed in JS, CSS links

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.8 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  We made a conscious decision, for security reasons, not to display the
  Mahara minor version number on the footer of every page, except to
  Mahara admins.

  However, in bug 1214124 we then added the minor version number to
  every stylesheet and Javascript URL, which makes it trivially easy to
  find. You just look at the source code, and look for style.css:

      <link rel="stylesheet" type="text/css"
  href="https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";>

  We should replace this with an arbitrary integer stored in a config
  variable, which gets incremented whenever we upgrade the site. This
  would have the added (minor) benefit that you could then force a
  reloading of all the assets without incrementing the major version
  number, by simplying increasing this integer.

  Only low importance, because a hacker could probably infer the Mahara
  version number anyway, by looking at changes in the site's behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions