mahara-contributors team mailing list archive

[Robert Lyon <1952808@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1952808

Title:
  Able to see name of another account holder's folder

Status in Mahara:
  Fix Committed
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released
Status in Mahara 21.10 series:
  Fix Released
Status in Mahara 22.04 series:
  Fix Committed

Bug description:
  Problem when passing in folder id to a 'Files' page - we can see the
  name of a folder that we don't own

  Testing steps:

  1) Create a site with at least two accounts, personA and personB
  2) Log in as personA and go to Create -> Files (artefact/file/index.php) page
  3) Create a folder, say 'SubFolder', hover mouse over folder to find the ID of the folder, eg '&folder=123'. Make a note of the value and then click into that folder
  4) Upload a file to the folder
  5) Reload the page and you should be in the home directory of the Files area
  6) Change the URL and add to the end the folder id (eg artefact/file/index.php?folder=123) and reload - you should now see that the page loads with you in the folder you created
  7) Log out

  8) Log in as personB and go to Create -> Files (artefact/file/index.php) page
  9) Change the URL and add to the end the folder id (eg artefact/file/index.php?folder=123) and reload

  Expected: As you are not the folder owner you should not go to that
  folder

  Actual: The name of the other person's folder displays on the screen
  (plus errors in dev mode)

  As this is an escalation of privilege I'll make it a security bug

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1952808/+subscriptions