Session key validation not working in pieforms

Reported by Richard Mansfield on 2011-04-27
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.2
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

The 'sesskey' hidden element is added automatically to every form created by the pieform constructor, but it's not validated because on submission, the sesskey's value is regenerated in the pieform constructor rather than read from the posted value.

For the fix on stable versions, we should check the name of the hidden element and for 'sesskey', read it in from the appropriate parameter.

On master, we should leave the hidden element as it is, and use a new pieform element type for sesskey validation.

Reported by Bart van Delft.

CVE References

Changed in mahara:
milestone: none → 1.4.0

Changed my mind for the master patch. The previously uploaded patch, which introduced a new pieform element called 'sesskey', caused the edit profile form to fail with 'no sesskey', and it would require a bunch more hacks in pieforms to fix that. This replacement fixes the bug by setting a 'sesskey' property on the hidden element instead.

Changed in mahara:
assignee: nobody → Richard Mansfield (richard-mansfield)
visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers