Avoid saving firstname / lastname / preferredname that contains html tags

Bug #1719491 reported by Robert Lyon on 2017-09-26
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
15.04
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Robert Lyon

Bug Description

Because the name is used in email messages and could cause problems

We began to deal with issue in Bug 1697308 to stop someone signing up with a bad name but we should also check if the user is changing their name as part of required fields and/or editing their profile

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :
Revision history for this message
Robert Lyon (robertl-9) wrote :

Also deals with https://reviews.mahara.org/#/c/8079/3 where we don't escape names in the artefact-chooser on the profile information block

Revision history for this message
Robert Lyon (robertl-9) wrote :

Also deals with when copyright license defaults to 'all rights reserved' + displayname
https://reviews.mahara.org/#/c/8078/

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Reported by chbi and Robert Lyon

information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8235
Committed: https://git.mahara.org/mahara/mahara/commit/a15466b40fb4b7906e08f753cab7723ece61a7af
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit a15466b40fb4b7906e08f753cab7723ece61a7af
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:14:27 2017 +1300

Bug 1719491: Escape string for default license

Which is only the user's name

Change-Id: I01d3dab89c0f48b6b734b31690f1b4036c7cf7a6
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 974728ddbe52e8a698950cbb633ae3c4e5a354ac)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8214
Committed: https://git.mahara.org/mahara/mahara/commit/6beeb22f22408161f7f4baef6d53c981288ca718
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 6beeb22f22408161f7f4baef6d53c981288ca718
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:41:49 2017 +1300

Bug 1719491: Escape title for profile field in internal artefact chooser

an oversight from commit dde8e52b2b311aa992997b90d1b4f7bebefcc2f3

Change-Id: Iba1c23b7b88cfb9526627f1b9c934bb94ecc4e5c
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 873eeed00e73463f69d48f8e187226507b3cbdd0)
(cherry picked from commit 9ccdfe2dc7ae6cfc0ce42142bfd4d6cd1e1b12fe)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8230
Committed: https://git.mahara.org/mahara/mahara/commit/e94cf6940e6bb7627e743cdfa99eb45f0eebd797
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit e94cf6940e6bb7627e743cdfa99eb45f0eebd797
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 13:29:05 2017 +1300

Security bug 1719491: Stop user saving bad first/last/preferred name

to avoid having problems when the user emails another user

Change-Id: If694e969ea8a9d77badfffa095dc5fac3b6da417
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit dbbbb91cce379de6b8720b644508d6a60ac5b7b7)
(cherry picked from commit bf1717cbe0cb057c0a8f01061b4fa4a5ef7b1365)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8213
Committed: https://git.mahara.org/mahara/mahara/commit/6d77406629c8d1d6619d6b87c93f0b03cbf8c6b1
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 6d77406629c8d1d6619d6b87c93f0b03cbf8c6b1
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:41:49 2017 +1300

Bug 1719491: Escape title for profile field in internal artefact chooser

an oversight from commit dde8e52b2b311aa992997b90d1b4f7bebefcc2f3

Change-Id: Iba1c23b7b88cfb9526627f1b9c934bb94ecc4e5c
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 873eeed00e73463f69d48f8e187226507b3cbdd0)
(cherry picked from commit 9ccdfe2dc7ae6cfc0ce42142bfd4d6cd1e1b12fe)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8234
Committed: https://git.mahara.org/mahara/mahara/commit/6665aba4730d3bc52e2d4dd6d8381a58eecd4e44
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 6665aba4730d3bc52e2d4dd6d8381a58eecd4e44
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:14:27 2017 +1300

Bug 1719491: Escape string for default license

Which is only the user's name

Change-Id: I01d3dab89c0f48b6b734b31690f1b4036c7cf7a6
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 974728ddbe52e8a698950cbb633ae3c4e5a354ac)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8229
Committed: https://git.mahara.org/mahara/mahara/commit/eac2020c5390d53e3918fa4eecd0266637e25a23
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit eac2020c5390d53e3918fa4eecd0266637e25a23
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 13:29:05 2017 +1300

Security bug 1719491: Stop user saving bad first/last/preferred name

to avoid having problems when the user emails another user

Change-Id: If694e969ea8a9d77badfffa095dc5fac3b6da417
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit dbbbb91cce379de6b8720b644508d6a60ac5b7b7)
(cherry picked from commit bf1717cbe0cb057c0a8f01061b4fa4a5ef7b1365)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8233
Committed: https://git.mahara.org/mahara/mahara/commit/9720dc9cff7012bc958db2ae7da1e045a8fd1791
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 9720dc9cff7012bc958db2ae7da1e045a8fd1791
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:14:27 2017 +1300

Bug 1719491: Escape string for default license

Which is only the user's name

Change-Id: I01d3dab89c0f48b6b734b31690f1b4036c7cf7a6
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 974728ddbe52e8a698950cbb633ae3c4e5a354ac)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8228
Committed: https://git.mahara.org/mahara/mahara/commit/96d97191da794a623f8cc4bb84eea8fca8122a23
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 96d97191da794a623f8cc4bb84eea8fca8122a23
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 13:29:05 2017 +1300

Security bug 1719491: Stop user saving bad first/last/preferred name

to avoid having problems when the user emails another user

Change-Id: If694e969ea8a9d77badfffa095dc5fac3b6da417
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit dbbbb91cce379de6b8720b644508d6a60ac5b7b7)
(cherry picked from commit bf1717cbe0cb057c0a8f01061b4fa4a5ef7b1365)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8212
Committed: https://git.mahara.org/mahara/mahara/commit/2792f5bf7acbbdc839f8f2d01136ce6b109d6d55
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 2792f5bf7acbbdc839f8f2d01136ce6b109d6d55
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:41:49 2017 +1300

Bug 1719491: Escape title for profile field in internal artefact chooser

an oversight from commit dde8e52b2b311aa992997b90d1b4f7bebefcc2f3

Change-Id: Iba1c23b7b88cfb9526627f1b9c934bb94ecc4e5c
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 873eeed00e73463f69d48f8e187226507b3cbdd0)
(cherry picked from commit 9ccdfe2dc7ae6cfc0ce42142bfd4d6cd1e1b12fe)

Robert Lyon (robertl-9) on 2017-10-30
no longer affects: mahara/15.04
Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8232
Committed: https://git.mahara.org/mahara/mahara/commit/f411dff8e1417f92097fae2236dffd19c2ffdf5a
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit f411dff8e1417f92097fae2236dffd19c2ffdf5a
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:14:27 2017 +1300

Bug 1719491: Escape string for default license

Which is only the user's name

Change-Id: I01d3dab89c0f48b6b734b31690f1b4036c7cf7a6
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 974728ddbe52e8a698950cbb633ae3c4e5a354ac)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8227
Committed: https://git.mahara.org/mahara/mahara/commit/3935e36c0154e166d747b1e1f130add6dc116f63
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 3935e36c0154e166d747b1e1f130add6dc116f63
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 13:29:05 2017 +1300

Security bug 1719491: Stop user saving bad first/last/preferred name

to avoid having problems when the user emails another user

Change-Id: If694e969ea8a9d77badfffa095dc5fac3b6da417
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit dbbbb91cce379de6b8720b644508d6a60ac5b7b7)
(cherry picked from commit bf1717cbe0cb057c0a8f01061b4fa4a5ef7b1365)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8211
Committed: https://git.mahara.org/mahara/mahara/commit/381bdb276858fa52c7b484cee66dba4d443254b5
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 381bdb276858fa52c7b484cee66dba4d443254b5
Author: Robert Lyon <email address hidden>
Date: Mon Oct 2 10:41:49 2017 +1300

Bug 1719491: Escape title for profile field in internal artefact chooser

an oversight from commit dde8e52b2b311aa992997b90d1b4f7bebefcc2f3

Change-Id: Iba1c23b7b88cfb9526627f1b9c934bb94ecc4e5c
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 873eeed00e73463f69d48f8e187226507b3cbdd0)
(cherry picked from commit 9ccdfe2dc7ae6cfc0ce42142bfd4d6cd1e1b12fe)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers