Minor version number displayed in JS, CSS links
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Low
|
Aaron Wells | ||
1.10 |
Fix Released
|
Low
|
Unassigned | ||
1.8 |
Fix Released
|
Low
|
Unassigned | ||
1.9 |
Fix Released
|
Low
|
Unassigned | ||
15.04 |
Fix Released
|
Low
|
Aaron Wells |
Bug Description
We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins.
However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css:
<link rel="stylesheet" type="text/css" href="https:/
We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer.
Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior.
CVE References
description: | updated |
information type: | Private Security → Public Security |
description: | updated |
information type: | Public Security → Private Security |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
That said, I've also filed a separate (non-security) bug 1384497, for the purpose of displaying the *major* version number openly.