mahara-contributors team mailing list archive

[Robert Lyon <1889485@xxxxxxxxxxxxxxxxxx>]

** Changed in: mahara/20.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1889485

Title:
  Security Upgrade SimpleSAML 1.18.4 to 1.18.7

Status in Mahara:
  Fix Released
Status in Mahara 19.04 series:
  Fix Released
Status in Mahara 19.10 series:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Released

Bug description:
  From https://simplesamlphp.org/security/202004-01:

  Date
  April 03, 2020
  Affected versions
  SimpleSAMLphp 1.18.5 and older
  Severity
  Low

  Background

  The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser.
  Description

  The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path ending with e.g. .PHP and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser.
  Affected versions

  SimpleSAMLphp versions 1.18.5 and older.

  We will upgrade to version 1.18.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1889485/+subscriptions