Mahara

Not checking artefact permissions before exporting

Bug #1234615 reported by Aaron Wells on 2013-10-03

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Medium	Unassigned
1.10	Won't Fix	Medium	Unassigned
1.9	Won't Fix	Medium	Unassigned
15.04	Fix Released	Medium	Unassigned	Mahara 15.04.8
15.10	Fix Released	Medium	Unassigned	Mahara 15.10.4
16.04	Fix Released	Medium	Unassigned	Mahara 16.04.2
16.10	Fix Released	Medium	Unassigned	Mahara 16.10.0

Bug Description

In https://bugs.launchpad.net/bugs/1211758 , the reporter mentioned that in addition to embedding other users' artefacts in your pages, you could export them to view their full content:

#3: Export function allows arbitrary file download
Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra.

There is an obvious fix for this issue, of checking $USER->can_publish_artefac()t or $USER->can_view_artefact() on each artefact before exporting it. But when Robert tested this fix, he found that it was too resource-intensive (as part of the already resource-intensive export process) for it to work while exporting an average-sized portfolio.

Since fixing the embedding of other users' data mitigates the risk from this issue and was easier to accomplish, I've released that fix and spun this one off into a separate bug to fix when we're able.

Tags:

CVE References

2017-1000133

Aaron Wells (u-aaronw) on 2013-12-16

Changed in mahara:
milestone:	1.8.1 → 1.9.0

Aaron Wells (u-aaronw) on 2014-04-14

Changed in mahara:
milestone:	1.9.0 → 1.9.1
no longer affects:	mahara/1.6

Aaron Wells (u-aaronw) on 2014-09-09

no longer affects:

mahara/1.7

Jinelle Foley-Barnes (jinelleb) on 2015-04-20

tags:

added: no-behat-needed

Aaron Wells (u-aaronw) on 2015-10-27

no longer affects:

mahara/1.8

Revision history for this message

Robert Lyon (robertl-9) wrote on 2016-07-07:

From my investigations it looks the problem is only related to the HTML export and when blocks have artefacts attached that are not owned by the user.

Revision history for this message

Robert Lyon (robertl-9) wrote on 2016-07-07:

And because of that we can use can_view_artefact() as the number of artefacts not owned by user being exported will be low

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-11: A change has been merged

Reviewed: https://reviews.mahara.org/6672
Committed: https://git.mahara.org/mahara/mahara/commit/aa31ba590f15010b6b27d9cec66a9f1ce8d62c7e
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit aa31ba590f15010b6b27d9cec66a9f1ce8d62c7e
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-11:

Reviewed: https://reviews.mahara.org/6692
Committed: https://git.mahara.org/mahara/mahara/commit/36ab4bffb02b1a4f43ed1a5fd20dccad4a18d642
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 36ab4bffb02b1a4f43ed1a5fd20dccad4a18d642
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-11:

Reviewed: https://reviews.mahara.org/6693
Committed: https://git.mahara.org/mahara/mahara/commit/d6399ee68eddf53a46bb046f77656bb4fb3044b8
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit d6399ee68eddf53a46bb046f77656bb4fb3044b8
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-07-11:

Reviewed: https://reviews.mahara.org/6694
Committed: https://git.mahara.org/mahara/mahara/commit/32b65c72762f50dbddfda20a5c9b74c66cbb5343
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 32b65c72762f50dbddfda20a5c9b74c66cbb5343
Author: Robert Lyon <email address hidden>
Date: Fri Jul 8 11:02:22 2016 +1200

Bug 1234615: Check that resized image files are viewable by user

When exporting via Html export process - if not then ignore the file

To test:

1) Add an image block/file to a page and set a width value

2) Go into db block_instance table and change the artefactid to an
image that is owned by another user

3) Reload the page - you should see the image block but not the
attached image

4) Export the page as HTML, either as full or standalone

Before patch - you will end up with image file in the files/extra/
directory

After patch - you should not get the image in the files/extra/
directory and you should get an info warning 'Unable to copy artefact
file ***' on export page.

behatnotneeded

Change-Id: Iaeb9404b3329c4eb3eac59354801b598f7cd5ba8
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2016-07-11

information type:

Private Security → Public Security

Robert Lyon (robertl-9) on 2016-10-21

Changed in mahara:
milestone:	16.04.1 → none
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.