mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Changed in: mahara/16.04
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1719472

Title:
  User autocomplete selector in Mail composer not escaping the name

Status in Mahara:
  Fix Released
Status in Mahara 16.04 series:
  Fix Released
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Released

Bug description:
  This means that a user can set a bad name and compromise another user

  To reproduce:

  *) Login as "user1"
  *) Click on "Main menu" - "Content" - "Profile" - "About me"
  *) Insert at "First name" or "Last name" or "Display name":

  <script>alert(1)</script>

  *) Save with "Save profile"

  *) Click on "User menu" - "0 unread" - "Compose"
  *) Send a message to another user, for example:

  Recipients: user2
  Subject: Hello
  Message: Please reply

  *) Send the message with "Send message"
  *) Logout as "user1"

  *) Login as "user2"
  *) Open the received message in the dashboard ("Inbox")
  *) Click on "Reply"
  *) The alert dialog appears

  
  To fix:
  Normally when we show a user's name to screen we filter it via hsc() 
  But in this case the name is being fetched by the autocomplete pieform element via the translate_ids_to_names() function without being escaped.

  So we need to escape it before returning the name

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1719472/+subscriptions