Mahara

auth/saml default remoteuser

  1. Series 1.4
  2. Bug #932909
Bug #932909 reported by PiersHarding
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
PiersHarding
Mahara 1.3.8
1.4
Fix Released
High
PiersHarding
Mahara 1.4.2

Bug Description

The auth/saml plugin should have the option "Match username attribute to Remote username" defaulted to true, as this presents a risk in multi-tenanted Mahara instances (different institutions may clash on usernames so the default behaviour should be to match on the external one).

Tags: saml
PiersHarding (piersharding)
Changed in mahara:
status: New → In Progress
assignee: nobody → PiersHarding (piersharding)
PiersHarding (piersharding)
Changed in mahara:
status: In Progress → Fix Committed
Revision history for this message
François Marier (fmarier) wrote :

BTW Piers, we use "fix committed" only when the fix has been merged onto the final branch. While it's in review, we use "in progress".

Changed in mahara:
status: Fix Committed → In Progress
importance: Undecided → Critical
milestone: none → 1.3.8
security vulnerability: no → yes
Changed in mahara:
importance: Critical → High
tags: added: saml
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/1053
Committed: http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
Submitter: Francois Marier (<email address hidden>)
Branch: master

commit f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
Author: Piers Harding <email address hidden>
Date: Thu Feb 16 06:19:41 2012 +1300

    auth/saml default remoteuser (bug #932909)

    Ensure that default behaviour is to match user
    to remote user name

    Change-Id: Iadabb5c47004786af6fb6e2e6ac0590fb4a887d8
    Signed-off-by: Piers Harding <email address hidden>

Revision history for this message
François Marier (fmarier) wrote :

Piers: would you be able to quickly test the 1.3 and 1.4 cherry-picks I just pushed to gerrit?

  https://reviews.mahara.org/#change,1061
  https://reviews.mahara.org/#change,1062

(I've tested that the setting is turned on by default, but I don't feel confident enough to test the other changes in that patch.)

Richard: given I was the one to do the cherry-pick can you quickly double-check to make sure everything looks fine and give your +2?

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1061
Committed: http://gitorious.org/mahara/mahara/commit/46dfa1bcc5bafda7f8aadf6fae33d77e4ce6190f
Submitter: Francois Marier (<email address hidden>)
Branch: 1.3_STABLE

commit 46dfa1bcc5bafda7f8aadf6fae33d77e4ce6190f
Author: Francois Marier <email address hidden>
Date: Mon Feb 20 14:40:05 2012 +1300

    auth/saml default remoteuser (bug #932909)

    Ensure that default behaviour is to match user
    to remote user name

    (cherry picked from commit f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea)

    Conflicts:

     htdocs/auth/saml/lang/en.utf8/auth.saml.php
     htdocs/auth/saml/lib.php

    Change-Id: Ieda14dc11692f3f703aa0d5b4e87761107196356
    Signed-off-by: Francois Marier <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1062
Committed: http://gitorious.org/mahara/mahara/commit/d642724b4e6016df988c2fe25aad0543927af072
Submitter: Francois Marier (<email address hidden>)
Branch: 1.4_STABLE

commit d642724b4e6016df988c2fe25aad0543927af072
Author: Francois Marier <email address hidden>
Date: Mon Feb 20 14:50:32 2012 +1300

    auth/saml default remoteuser (bug #932909)

    Ensure that default behaviour is to match user
    to remote user name

    (cherry picked from commit f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea)

    Conflicts:

     htdocs/auth/saml/lib.php

    Change-Id: I4db156b2e0023315a2bcf09f47c4fbf7b23ce348
    Signed-off-by: Francois Marier <email address hidden>

François Marier (fmarier)
Changed in mahara:
status: In Progress → Fix Committed
Melissa Draper (melissa)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.