← Back to team overview

mahara-contributors team mailing list archive

[Bug 1234615] Re: Not checking artefact permissions before exporting

 

** Changed in: mahara
    Milestone: 16.04.1 => None

** Changed in: mahara
       Status: Fix Committed => Fix Released

** Changed in: mahara/16.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1234615

Title:
  Not checking artefact permissions before exporting

Status in Mahara:
  Fix Released
Status in Mahara 1.10 series:
  Won't Fix
Status in Mahara 1.9 series:
  Won't Fix
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 15.10 series:
  Fix Released
Status in Mahara 16.04 series:
  Fix Released
Status in Mahara 16.10 series:
  Fix Released

Bug description:
  In https://bugs.launchpad.net/bugs/1211758 , the reporter mentioned
  that in addition to embedding other users' artefacts in your pages,
  you could export them to view their full content:

  #3: Export function allows arbitrary file download
  Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.

  There is an obvious fix for this issue, of checking
  $USER->can_publish_artefac()t or $USER->can_view_artefact() on each
  artefact before exporting it. But when Robert tested this fix, he
  found that it was too resource-intensive (as part of the already
  resource-intensive export process) for it to work while exporting an
  average-sized portfolio.

  Since fixing the embedding of other users' data mitigates the risk
  from this issue and was easier to accomplish, I've released that fix
  and spun this one off into a separate bug to fix when we're able.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1234615/+subscriptions