mahara-contributors team mailing list archive

Thread
Date

[Bug 1385564] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1385564@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Nov 2014 00:15:41 -0000
Reply-to: Bug 1385564 <1385564@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/4035
Committed: http://gitorious.org/mahara/mahara/commit/78e8b1084c5f29ef2aad034c5855d81aad9c2ee5
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    1.9_STABLE

commit 78e8b1084c5f29ef2aad034c5855d81aad9c2ee5
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Wed Oct 29 01:41:13 2014 +1300

Clear secreturl access cookies on logout

Bug 1385564: This doesn't provide much additional security, because if
the access cookies are still in your browser session, then the secret URL
itself is probably still in your browser history. But if someone goes to
the trouble of logging out *and* clearing their browser history, this
will ensure that it actually does end the secreturl access cookie like
they'd expect.

Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1385564

Title:
  Secret URLs used on public computers leak access to later users of the
  same browser

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.8 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed

Bug description:
  If a user (or group) creates a private page and gives it a secret URL,
  and then the page is accessed by the secret URL on a public computer
  and the user doesn't close their browser window afterwards, other
  users will also be able to access that page by its normal url or its
  secret URL.

  This can defy user expectations of access rights.

  Eg
  1. group A admin creates a page and shares it only with the group, the page has the id=8
  2. group A admin create a secret url for the page, eg /view/view.php?t=nFlSjpVuUCawH6TxP7A3
  3. User 1, who is not in the group, goes to the page by its secret URL. (While using a computer at the library.)
  4. User 1 then logs out, but doesn't close their browser window.
  5. User 2 comes to the computer and goes to /view/view.php?id=8

  Expected result - User 2 can't access the page as they don't know the
  secret url

  Actual result - User 2 can access the page

  This is reported here:
  https://mahara.org/interaction/forum/topic.php?id=6520

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1385564/+subscriptions