← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #27900

[Bug 1476925] Re: Make ajax get_string work for logged-out users

  Thread PreviousDate PreviousThread Next 
We had a discussion about whether there would be any additional security
risk in making this action accessible to logged-out users. I think it
would be safe. Here's my analysis:

1. The "section" argument is used as a portion of a filename, but it's
limited to specific directories and filtered to the characters
[-_.A-Za-z0-9], and the filename will have ".php" added to the end, so
that's pretty safe.

2. You can use a parameterized string to generate an arbitrary JSON
response, (i.e. https://vegas.wgtn.cat-
it.co.nz/mahara/htdocs/lang/get_string.php?section=mahara&string=deletespecific&args[]=%3Cscript%20type=%22text/javascript%22%3Ealert%28%27hey!%27%29%3C/script%3E
), but the response header has "Content-Type: application/json", so the
browser won't parse any HTML or Javascript in the response if you hit it
directly. So that's pretty safe.

So in the end, it seems like the biggest risk here, is that you could
use this string to find out the value of every language string in the
site. The only scenario I can think of where that would cause a problem,
is if a site is using custom language strings, and putting sensitive
data into them. Like "Welcome to Wells University! Remember, everyone's
default password is "password123"!".

But that seems like a really bad idea anyway, so I don't think it's a
scenario we need to worry about too much.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1476925

Title:
  Make ajax get_string work for logged-out users

Status in Mahara:
  In Progress

Bug description:
  With Bug #1450995 We added a "get_string_ajax()" javascript method
  which lets you load up Mahara language strings using Ajax, after the
  page is done loading.

  However, it only works for logged-in users. I think eventually this is
  going to cause us some problems, because we're going to forget about
  that limitation and use this method for some action which is also
  accessible to logged-out users. So in the long run it's probably best
  to make it work the same whether you're logged in or logged out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1476925/+subscriptions

References

  Thread PreviousDate PreviousThread Next