Drop / ignore LTI parameters that Mahara doesn't need

Bug #1825894 reported by Kristina Hoeppner on 2019-04-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Robert Lyon
17.10
Medium
Unassigned
18.04
Medium
Unassigned
18.10
Medium
Unassigned
19.04
Medium
Robert Lyon

Bug Description

LTI sometimes sends parameters through that Mahara doesn't require. Rather than whitelisting them as suggested in bug #1785542. We reviewed things again and there don't seem to be any security concerns after all that we would need to take into consideration.

So we'll drop / ignore any parameters that Mahara doesn't need like we do for parameters that start with "custom". That means that when they are ignored, a site admin should see a message on the screen when not in production mode to that effect so they know what has been ignored.

Robert Lyon (robertl-9) wrote :

So we will now ignore any unknown parameter and let the user know by recording this in the Mahara error log / display to screen if not in production mode

However, we now will not be returning the info about the extra parameters back to the system that made the webservice call

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/9818
Committed: https://git.mahara.org/mahara/mahara/commit/515cfba646dee807fda37faeb89f8e71d132b379
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 515cfba646dee807fda37faeb89f8e71d132b379
Author: Robert Lyon <email address hidden>
Date: Tue Apr 23 11:06:58 2019 +1200

Bug 1825894: Ignore extra parameters in webservices

We had a patch for ignoring parameters prefixed with 'custom_' in
bug 1697909 - but there were still problems from users when trying to
install LTI connections.

So we will now ignore any unknown parameter and let the user know by
recording this in the Mahara error log - we however will not be
returning the info about the extra parameters back to the system that
made the webservice call

behatnotneeded

Change-Id: I0cf5d966833a48e7db13d48b9e0be87285934002
Signed-off-by: Robert Lyon <email address hidden>

Reviewed: https://reviews.mahara.org/9821
Committed: https://git.mahara.org/mahara/mahara/commit/e39ac7ce2f9824a67ac91e38fa76b80b4b392423
Submitter: Robert Lyon (<email address hidden>)
Branch: 19.04_STABLE

commit e39ac7ce2f9824a67ac91e38fa76b80b4b392423
Author: Robert Lyon <email address hidden>
Date: Tue Apr 23 11:06:58 2019 +1200

Bug 1825894: Ignore extra parameters in webservices

We had a patch for ignoring parameters prefixed with 'custom_' in
bug 1697909 - but there were still problems from users when trying to
install LTI connections.

So we will now ignore any unknown parameter and let the user know by
recording this in the Mahara error log - we however will not be
returning the info about the extra parameters back to the system that
made the webservice call

behatnotneeded

Change-Id: I0cf5d966833a48e7db13d48b9e0be87285934002
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 515cfba646dee807fda37faeb89f8e71d132b379)

Reviewed: https://reviews.mahara.org/9822
Committed: https://git.mahara.org/mahara/mahara/commit/3f05d3f4d7c5d76cd1b6b340fe3efc4572e8714e
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.10_STABLE

commit 3f05d3f4d7c5d76cd1b6b340fe3efc4572e8714e
Author: Robert Lyon <email address hidden>
Date: Tue Apr 23 11:06:58 2019 +1200

Bug 1825894: Ignore extra parameters in webservices

We had a patch for ignoring parameters prefixed with 'custom_' in
bug 1697909 - but there were still problems from users when trying to
install LTI connections.

So we will now ignore any unknown parameter and let the user know by
recording this in the Mahara error log - we however will not be
returning the info about the extra parameters back to the system that
made the webservice call

behatnotneeded

Change-Id: I0cf5d966833a48e7db13d48b9e0be87285934002
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 515cfba646dee807fda37faeb89f8e71d132b379)
(cherry picked from commit e39ac7ce2f9824a67ac91e38fa76b80b4b392423)

Mahara Bot (dev-mahara) wrote :

Patch for "18.04_STABLE" branch: https://reviews.mahara.org/9823

Reviewed: https://reviews.mahara.org/9823
Committed: https://git.mahara.org/mahara/mahara/commit/6a44495b1ec01553473deb3a4b15d98625802c58
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.04_STABLE

commit 6a44495b1ec01553473deb3a4b15d98625802c58
Author: Robert Lyon <email address hidden>
Date: Tue Apr 23 11:06:58 2019 +1200

Bug 1825894: Ignore extra parameters in webservices

We had a patch for ignoring parameters prefixed with 'custom_' in
bug 1697909 - but there were still problems from users when trying to
install LTI connections.

So we will now ignore any unknown parameter and let the user know by
recording this in the Mahara error log - we however will not be
returning the info about the extra parameters back to the system that
made the webservice call

behatnotneeded

Change-Id: I0cf5d966833a48e7db13d48b9e0be87285934002
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 515cfba646dee807fda37faeb89f8e71d132b379)
(cherry picked from commit e39ac7ce2f9824a67ac91e38fa76b80b4b392423)
(cherry picked from commit 3f05d3f4d7c5d76cd1b6b340fe3efc4572e8714e)

Reviewed: https://reviews.mahara.org/9824
Committed: https://git.mahara.org/mahara/mahara/commit/3f4e5c399f4fb0075a580a86b981dfd4f06cd500
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.10_STABLE

commit 3f4e5c399f4fb0075a580a86b981dfd4f06cd500
Author: Robert Lyon <email address hidden>
Date: Tue Apr 23 11:06:58 2019 +1200

Bug 1825894: Ignore extra parameters in webservices

We had a patch for ignoring parameters prefixed with 'custom_' in
bug 1697909 - but there were still problems from users when trying to
install LTI connections.

So we will now ignore any unknown parameter and let the user know by
recording this in the Mahara error log - we however will not be
returning the info about the extra parameters back to the system that
made the webservice call

behatnotneeded

Change-Id: I0cf5d966833a48e7db13d48b9e0be87285934002
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 515cfba646dee807fda37faeb89f8e71d132b379)
(cherry picked from commit e39ac7ce2f9824a67ac91e38fa76b80b4b392423)
(cherry picked from commit 3f05d3f4d7c5d76cd1b6b340fe3efc4572e8714e)
(cherry picked from commit 6a44495b1ec01553473deb3a4b15d98625802c58)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers