Not checking artefact permissions before exporting

Bug #1234615 reported by Aaron Wells on 2013-10-03
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Unassigned
1.10
Medium
Unassigned
1.9
Medium
Unassigned
15.04
Medium
Unassigned
15.10
Medium
Unassigned
16.04
Medium
Unassigned
16.10
Medium
Unassigned

Bug Description

In https://bugs.launchpad.net/bugs/1211758 , the reporter mentioned that in addition to embedding other users' artefacts in your pages, you could export them to view their full content:

#3: Export function allows arbitrary file download
Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.

There is an obvious fix for this issue, of checking $USER->can_publish_artefac()t or $USER->can_view_artefact() on each artefact before exporting it. But when Robert tested this fix, he found that it was too resource-intensive (as part of the already resource-intensive export process) for it to work while exporting an average-sized portfolio.

Since fixing the embedding of other users' data mitigates the risk from this issue and was easier to accomplish, I've released that fix and spun this one off into a separate bug to fix when we're able.

CVE References

Aaron Wells (u-aaronw) on 2013-12-16
Changed in mahara:
milestone: 1.8.1 → 1.9.0
Aaron Wells (u-aaronw) on 2014-04-14
Changed in mahara:
milestone: 1.9.0 → 1.9.1
no longer affects: mahara/1.6
Aaron Wells (u-aaronw) on 2014-09-09
no longer affects: mahara/1.7
tags: added: no-behat-needed
Aaron Wells (u-aaronw) on 2015-10-27
no longer affects: mahara/1.8
Robert Lyon (robertl-9) wrote :

From my investigations it looks the problem is only related to the HTML export and when blocks have artefacts attached that are not owned by the user.

Robert Lyon (robertl-9) wrote :

And because of that we can use can_view_artefact() as the number of artefacts not owned by user being exported will be low

Reviewed: https://reviews.mahara.org/6672
Committed: https://git.mahara.org/mahara/mahara/commit/aa31ba590f15010b6b27d9cec66a9f1ce8d62c7e
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit aa31ba590f15010b6b27d9cec66a9f1ce8d62c7e
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6692
Committed: https://git.mahara.org/mahara/mahara/commit/36ab4bffb02b1a4f43ed1a5fd20dccad4a18d642
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 36ab4bffb02b1a4f43ed1a5fd20dccad4a18d642
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6693
Committed: https://git.mahara.org/mahara/mahara/commit/d6399ee68eddf53a46bb046f77656bb4fb3044b8
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit d6399ee68eddf53a46bb046f77656bb4fb3044b8
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6694
Committed: https://git.mahara.org/mahara/mahara/commit/32b65c72762f50dbddfda20a5c9b74c66cbb5343
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 32b65c72762f50dbddfda20a5c9b74c66cbb5343
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2016-07-11
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.04.1 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers