Mahara

maharadroid token doesn't reset, new users get token of "array"

Bug #1057878 reported by Melissa Draper
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
Melissa Draper
Mahara 1.6.1

Bug Description

There is a problem with the maharadroid token setting when testing mahara.dev.

After setting maharadroid up and uploading a first image successfully, uploading a second image fails. On investigation I noted that the token never changed on the website.

So I made a new user on the website to investigate if it was problems with the existing user's settings, and the new user's token field had a default of "array" in it.

This is dangerous -- it would make anyone's token actually be the word "array" if they saved their settings page for any reason.

Mahara: 1.6/master
Maharadroid: 1.8, from play store on Sept 28th 2012

Revision history for this message
Melissa Draper (melissa) wrote :

Not actually a security issue, so opening it up.

"Array" is too short for a token by the small mercy of it being a minimum of 5 characters instead of 6.

security vulnerability: yes → no
visibility: private → public
Melissa Draper (melissa)
Changed in mahara:
assignee: nobody → Melissa Draper (melissa)
status: Triaged → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/1740
Committed: http://gitorious.org/mahara/mahara/commit/c73233ef7b65ef165fc7c642fdbec67f135c0325
Submitter: Hugh Davenport (<email address hidden>)
Branch: master

commit c73233ef7b65ef165fc7c642fdbec67f135c0325
Author: Melissa Draper <email address hidden>
Date: Sat Sep 29 01:17:47 2012 +1200

    Fix regression with mobile upload token (Bug #1057878)

    New users were getting a token of "Array" set by default
    when their settings were populated. It was useless.

    Tokens were not being updated on the website. This was
    due to changes in the api which required the old token
    be passed when refreshing happened, and it was not
    being passed in the json reply.

    Change-Id: Ie8425e439b0b59134825c7922cfa887e7ad49c8b
    Signed-off-by: Melissa Draper <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1798
Committed: http://gitorious.org/mahara/mahara/commit/9caa3de1ee80172a71c91b66876cd69d3a96d3ab
Submitter: Melissa Draper (<email address hidden>)
Branch: 1.6_STABLE

commit 9caa3de1ee80172a71c91b66876cd69d3a96d3ab
Author: Melissa Draper <email address hidden>
Date: Sat Sep 29 01:17:47 2012 +1200

    Fix regression with mobile upload token (Bug #1057878)

    New users were getting a token of "Array" set by default
    when their settings were populated. It was useless.

    Tokens were not being updated on the website. This was
    due to changes in the api which required the old token
    be passed when refreshing happened, and it was not
    being passed in the json reply.

    Change-Id: Ie8425e439b0b59134825c7922cfa887e7ad49c8b
    Signed-off-by: Melissa Draper <email address hidden>

Hugh Davenport (hugh-davenport)
Changed in mahara:
status: In Progress → Fix Committed
milestone: 1.6.0 → 1.6.1
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.