All private messages were accessible by wrong users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Mahara |
Critical
|
Ruslan Kabalin | ||
| 1.3 |
Critical
|
Ruslan Kabalin |
Bug Description
When "Reply to message"
http://
CVE References
Ruslan Kabalin (rkabalin) wrote : | #1 |
Changed in mahara: | |
status: | New → Confirmed |
importance: | Undecided → High |
Ruslan Kabalin (rkabalin) wrote : | #2 |
Given that user never replies to (a) the system messages and (b) messages addressed to someone else. This patch should fix the bug.
As the separate feature, we may remove ID as parameter completely as we always can get whom we have to reply to from the message record.
Changed in mahara: | |
milestone: | none → 1.4.1 |
importance: | High → Critical |
Regarding ancient versions: the bug was only introduced with message threading in 1.3.
1.0 is unaffected - the message being replied to is not displayed.
1.2 also unaffected - you can see the message being replied to, but there is a check in there to make sure it's addressed to you & sent by the user you're sending to.
Changed in mahara: | |
assignee: | nobody → Ruslan Kabalin (rkabalin) |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Released |
visibility: | private → public |
Thanks Teemu, well spotted!