Minor version number displayed in JS, CSS links

Bug #1384481 reported by Aaron Wells on 2014-10-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Low
Aaron Wells
1.10
Low
Unassigned
1.8
Low
Unassigned
1.9
Low
Unassigned
15.04
Low
Aaron Wells

Bug Description

We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins.

However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css:

    <link rel="stylesheet" type="text/css" href="https://mahara.org/theme/raw/static/style/style.css?v=1.9.3">

We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer.

Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior.

CVE References

Aaron Wells (u-aaronw) wrote :

That said, I've also filed a separate (non-security) bug 1384497, for the purpose of displaying the *major* version number openly.

Aaron Wells (u-aaronw) on 2014-10-23
description: updated
information type: Private Security → Public Security
Aaron Wells (u-aaronw) on 2014-10-23
description: updated
Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3860

Reviewed: https://reviews.mahara.org/3860
Committed: http://gitorious.org/mahara/mahara/commit/3cc6ecedcf7bc1a560382338910056d70033aa78
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 3cc6ecedcf7bc1a560382338910056d70033aa78
Author: Aaron Wells <email address hidden>
Date: Thu Oct 23 13:57:17 2014 +1300

Hide the minor version in RSS feeds

Bug 1384481

Change-Id: If8e9fb096b73e71438ad57e036e46aebfbf472e7

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3859
Committed: http://gitorious.org/mahara/mahara/commit/d23587869a23acad5144576aa00eaad5a8e58c4f
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit d23587869a23acad5144576aa00eaad5a8e58c4f
Author: Aaron Wells <email address hidden>
Date: Thu Oct 23 13:45:26 2014 +1300

Replace minor version in URLs with an arbitrary cache version

Bug 1384481

Change-Id: Ia34c51ccae2859e3860896a5fa9fda5a4cbff1dc

Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/3917

Aaron Wells (u-aaronw) on 2014-11-05
information type: Public Security → Private Security
Aaron Wells (u-aaronw) wrote :

We need to make a change to that patch that was backported, to make sure that it's safe to run it multiple times. Currently it resets the cacheversion every time, which could mean that the cacheversion gets rewound to an earlier state and overlaps with an older cacheversion.

Aaron Wells (u-aaronw) wrote :

Here are all the patches that add cacheversion. We'll need to add a bit more logic to the ones for 1.9_STABLE, 1.10_STABLE, and master. (1.8_STABLE is okay because it can't overrun an earlier version.)

https://reviews.mahara.org/#/q/Ia34c51ccae2859e3860896a5fa9fda5a4cbff1dc,n,z

Aaron Wells (u-aaronw) on 2014-11-06
information type: Private Security → Public Security
Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3933

Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/3934

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3935

Aaron Wells (u-aaronw) wrote :

I uploaded a patch for master, 1.10_STABLE, and 1.9_STABLE, which will fix the problem with cacheversion getting wiped during upgrade: https://reviews.mahara.org/#/q/I14a61c08229de51f8e0bb25aa12c42826f2f1639,n,z

(Not needed in 1.8_STABLE, since there's no earlier version of Mahara with $CFG->cacheversion.)

Reviewed: https://reviews.mahara.org/3933
Committed: http://gitorious.org/mahara/mahara/commit/e469a84966fd62488c6bbda599006b27b13904b1
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit e469a84966fd62488c6bbda599006b27b13904b1
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 17:07:27 2014 +1300

Check whether $CFG->cacheversion exists before initializing it

Bug 1384481

Change-Id: I14a61c08229de51f8e0bb25aa12c42826f2f1639

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3934
Committed: http://gitorious.org/mahara/mahara/commit/8929073ae48299cbbddde46ed3c6912de110dc07
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 8929073ae48299cbbddde46ed3c6912de110dc07
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 17:07:27 2014 +1300

Check whether $CFG->cacheversion exists before initializing it

Bug 1384481

Change-Id: I14a61c08229de51f8e0bb25aa12c42826f2f1639

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3935
Committed: http://gitorious.org/mahara/mahara/commit/4d18b12afccc64b53aee89c6ae0aa61721dfcf09
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit 4d18b12afccc64b53aee89c6ae0aa61721dfcf09
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 17:07:27 2014 +1300

Check whether $CFG->cacheversion exists before initializing it

Bug 1384481

Change-Id: I14a61c08229de51f8e0bb25aa12c42826f2f1639

Robert Lyon (robertl-9) wrote :

Important note:

The patch for this problem only patches the issues in the core code - if your site is using custom themes you will need to check that they are not disclosing the minor version number.

To check if you need to make adjustments first search for this string:

  v={$RELEASE}

If it exists in your code anywhere (most likely in theme/[yourthemename]/templates/header/head.tpl) then you will need to change it to:

  v={$CACHEVERSION}

Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers