RSS block contents randomly copied from one block to another

Bug #1171714 reported by Mahara Bot
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
Aaron Wells
1.5
Fix Released
Critical
Unassigned
1.6
Fix Released
Critical
Unassigned
1.7
Fix Released
Critical
Unassigned

Bug Description

We've identified a problem with RSS feeds, which is a regression caused by the patch for https://bugs.launchpad.net/mahara/+bug/1081431

The cron job that refreshes the RSS feeds is not properly initializing a loop variable as it process each feed. As a result, if the attempt to fetch & parse a block's RSS feed errors out, the block gets its contents overwritten by the last RSS feed processed by the loop. There is no way to recover the data in the overwritten RSS feed block, and there is no automatic way to detect which RSS feeds have been overwritten by this bug, and which are genuine duplicate RSS feeds (from multiple users subscribing to the same feed).

There are also security ramifications to this bug, because if an RSS feed which gets copied contains a username and password, they will be visible in plaintext to the user into whose Page they have been copied.

Tags: rss

CVE References

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Implementing a fix for https://bugs.launchpad.net/mahara/+bug/1016253 will mitigate the security ramifications.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Oops, logged in as Mahara Bot when I created this bug. Again. :)

Changed in mahara:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Aaron Wells (u-aaronw)
Revision history for this message
Aaron Wells (u-aaronw) wrote :
Revision history for this message
Aaron Wells (u-aaronw) wrote :

To test:

1. Create a Mahara site with two RSS blocks in it
2. Point one block at a URL that will return a garbled RSS feed (this can be tricky to accomplish, because Mahara validates the RSS feed when you create the block. I found it easiest to update the url directly in the blocktype_externalfeed_data table)
3. Run the cron job to refresh both blocks (Again, this is tricky because the rss refresh_feeds task has some timing restrictions in it; I wound up editing the code to simplify the SQL so that it fetched every feed every time, and sorted them in order so that the good feed always came before the bad feed)

Actual result: If the bad RSS feed gets processed after the good RSS feed in the loop, it will be overwritten with the good RSS feed's data.

Expected result: Neither RSS feed should be overwritten by the other

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Patch for master branch reviewed and approved by Son: https://reviews.mahara.org/#/c/2083/

Revision history for this message
Aaron Wells (u-aaronw) wrote :
Aaron Wells (u-aaronw)
information type: Private Security → Public Security
Aaron Wells (u-aaronw)
Changed in mahara:
status: Triaged → Fix Committed
milestone: none → 1.8.0rc1
status: Fix Committed → Fix Released
status: Fix Released → Fix Committed
milestone: 1.8.0rc1 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers