Mahara

Fix user input from direct get post usage

  1. Series 17.04
  2. Bug #1732987
Bug #1732987 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 18.04.0
16.10
Fix Released
High
Unassigned
Mahara 16.10.7
17.04
Fix Released
High
Unassigned
Mahara 17.04.5
17.10
Fix Released
High
Unassigned
Mahara 17.10.2
18.04
Fix Released
High
Unassigned
Mahara 18.04.0

Bug Description

Makes sure the data is using valid utf8, invalid characters are discarded
- avoid null chars and invalid unicode

Also change direct $_GET and $_POST calls
eg change
 isset($_POST['myparam']) to param_exists('myparam')
 $_POST['myparam'] = 'cats' to param_alpha('myparam', null)
etc

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :

This has been begun with patch
https://reviews.mahara.org/#/c/8191/

Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.