Session key validation not working in pieforms
Bug #771598 reported by
Richard Mansfield
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
High
|
Richard Mansfield | ||
| 1.2 |
Fix Released
|
High
|
Richard Mansfield | ||
| 1.3 |
Fix Released
|
High
|
Richard Mansfield | ||
Bug Description
The 'sesskey' hidden element is added automatically to every form created by the pieform constructor, but it's not validated because on submission, the sesskey's value is regenerated in the pieform constructor rather than read from the posted value.
For the fix on stable versions, we should check the name of the hidden element and for 'sesskey', read it in from the appropriate parameter.
On master, we should leave the hidden element as it is, and use a new pieform element type for sesskey validation.
Reported by Bart van Delft.
CVE References
Revision history for this message
| Richard Mansfield (richard-mansfield) wrote | #1 |
| Changed in mahara: | |
| milestone: | none → 1.4.0 |
Revision history for this message
| Richard Mansfield (richard-mansfield) wrote | #3 |
| Changed in mahara: | |
| assignee: | nobody → Richard Mansfield (richard-mansfield) |
| visibility: | private → public |
| Changed in mahara: | |
| status: | In Progress → Fix Committed |
| Changed in mahara: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Changed my mind for the master patch. The previously uploaded patch, which introduced a new pieform element called 'sesskey', caused the edit profile form to fail with 'no sesskey', and it would require a bunch more hacks in pieforms to fix that. This replacement fixes the bug by setting a 'sesskey' property on the hidden element instead.