mahara-contributors team mailing list archive

Thread
Date

[Bug 1384481] Re: Minor version number displayed in JS, CSS links

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Wed, 26 Nov 2014 19:35:19 -0000
Reply-to: Bug 1384481 <1384481@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Important note:

The patch for this problem only patches the issues in the core code - if
your site is using custom themes you will need to check that they are
not disclosing the minor version number.

To check if you need to make adjustments first search for this string:

  v={$RELEASE}

If it exists in your code anywhere (most likely in
theme/[yourthemename]/templates/header/head.tpl) then you will need to
change it to:

  v={$CACHEVERSION}

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1384481

Title:
  Minor version number displayed in JS, CSS links

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  We made a conscious decision, for security reasons, not to display the
  Mahara minor version number on the footer of every page, except to
  Mahara admins.

  However, in bug 1214124 we then added the minor version number to
  every stylesheet and Javascript URL, which makes it trivially easy to
  find. You just look at the source code, and look for style.css:

      <link rel="stylesheet" type="text/css"
  href="https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";>

  We should replace this with an arbitrary integer stored in a config
  variable, which gets incremented whenever we upgrade the site. This
  would have the added (minor) benefit that you could then force a
  reloading of all the assets without incrementing the major version
  number, by simplying increasing this integer.

  Only low importance, because a hacker could probably infer the Mahara
  version number anyway, by looking at changes in the site's behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions