mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Changed in: mahara/16.10
       Status: Confirmed => Fix Committed

** Changed in: mahara/17.04
       Status: Confirmed => Fix Committed

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1692749

Title:
  User passwords being saved in database event_log as plain text

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Committed

Bug description:
  If you turn full logging for you site via:

  Admin -> Configure site -> Logging settings -> Log events

  Then whenever a user is created via:

  Admin -> Users -> Add user
  Admin -> Users -> Add users by CSV

  Or in fact any place where we create a user with the create_user()
  function we end up calling

  handle_event('createuser', $user);

  And if the $user object has password set then that is saved to
  event_log table

  We need to:

  1) stop that from happening - in fact only save to event_log only the
  bits of objects that make sense rather than everything, eg I notice
  that there are a lot of "dirty":true and things who's value is null
  (we can assume if key doesn't exist then it would be null rather than
  explicitly record that)

  2) clean up existing data and at very least remove the saved passwords

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1692749/+subscriptions