diff -Nru mahara-1.2.7/debian/changelog mahara-1.2.7/debian/changelog --- mahara-1.2.7/debian/changelog 2011-03-25 16:10:01.000000000 +1300 +++ mahara-1.2.7/debian/changelog 2011-05-10 16:36:47.000000000 +1200 @@ -1,3 +1,22 @@ +mahara (1.2.7-1ubuntu0.1) natty-security; urgency=low + + * SECURITY UPDATE: fixes to session key validation (CSRF) + - debian/patches/CVE-2011-1403.patch: upstream patch + + * SECURITY UPDATE: privilege escalations + - debian/patches/CVE-2011-1402.patch: upstream patch + + * SECURITY UPDATE: information disclosure in AJAX calls + - debian/patches/CVE-2011-1404.patch: upstream patch + + * SECURITY UPDATE: https to http downgrade + - debian/patches/CVE-2011-1406.patch: upstream patch + + * SECURITY UPDATE: sanitisation of HTML emails + - debian/patches/CVE-2011-1405.patch: upstream patch + + -- Francois Marier Tue, 10 May 2011 16:36:06 +1200 + mahara (1.2.7-1) unstable; urgency=high * New upstream security release: diff -Nru mahara-1.2.7/debian/patches/CVE-2011-1402.patch mahara-1.2.7/debian/patches/CVE-2011-1402.patch --- mahara-1.2.7/debian/patches/CVE-2011-1402.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.7/debian/patches/CVE-2011-1402.patch 2011-05-10 16:36:47.000000000 +1200 @@ -0,0 +1,53 @@ +Author: Richard Mansfield +Description: Fix privilege escalations +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/771592 +Bug: https://bugs.launchpad.net/mahara/+bug/771614 +Last-Update: 2011-05-02 + +--- a/htdocs/admin/users/search.json.php ++++ b/htdocs/admin/users/search.json.php +@@ -27,25 +27,12 @@ + + define('INTERNAL', 1); + define('JSON', 1); ++define('INSTITUTIONALADMIN', 1); + + require(dirname(dirname(dirname(__FILE__))) . '/init.php'); + + $action = param_variable('action'); + +-if ($action == 'suspend') { +- $id = param_integer('id'); +- $reason = param_variable('reason'); +- +- try { +- suspend_user($id, $reason); +- } +- catch (MaharaException $e) { +- json_reply('local', get_string('suspendfailed', 'admin') . ': ' . $e->getMessage()); +- } +- +- json_reply(false, get_string('usersuspended', 'admin')); +-} +- + if ($action == 'search') { + require_once('searchlib.php'); + +--- a/htdocs/view/newviewtoken.json.php ++++ b/htdocs/view/newviewtoken.json.php +@@ -31,7 +31,13 @@ define('JSON', 1); + require(dirname(dirname(__FILE__)) . '/init.php'); + require_once(get_config('libroot') . 'view.php'); + +-if (!$data = View::new_token(param_integer('view'))) { ++$viewid = param_integer('view'); ++$view = new View($viewid); ++ ++if (!$USER->can_edit_view($view)) { ++ json_reply(true, get_string('accessdenied', 'error')); ++} ++if (!$data = View::new_token($viewid)) { + json_reply(true, get_string('createviewtokenfailed', 'view')); + } + json_reply(false, array('message' => null, 'data' => $data)); diff -Nru mahara-1.2.7/debian/patches/CVE-2011-1403.patch mahara-1.2.7/debian/patches/CVE-2011-1403.patch --- mahara-1.2.7/debian/patches/CVE-2011-1403.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.7/debian/patches/CVE-2011-1403.patch 2011-05-10 16:36:47.000000000 +1200 @@ -0,0 +1,19 @@ +Author: Richard Mansfield +Description: Fix sesskey validation (CSRF protection mechanism) in pieforms +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/771598 +Last-Update: 2011-05-02 + +--- a/htdocs/lib/pieforms/pieform/elements/hidden.php ++++ b/htdocs/lib/pieforms/pieform/elements/hidden.php +@@ -62,6 +62,10 @@ function pieform_element_hidden(Pieform $form, $element) {/*{{{*/ + * 'value' index, and not to GET/POST + */ + function pieform_element_hidden_get_value(Pieform $form, $element) {/*{{{*/ ++ if ($element['name'] == 'sesskey' && $form->is_submitted()) { ++ $global = $form->get_property('method') == 'get' ? $_GET : $_POST; ++ return isset($global['sesskey']) ? $global['sesskey'] : null; ++ } + return $element['value']; + }/*}}}*/ + diff -Nru mahara-1.2.7/debian/patches/CVE-2011-1404.patch mahara-1.2.7/debian/patches/CVE-2011-1404.patch --- mahara-1.2.7/debian/patches/CVE-2011-1404.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.7/debian/patches/CVE-2011-1404.patch 2011-05-10 16:36:47.000000000 +1200 @@ -0,0 +1,30 @@ +Author: Richard Mansfield +Description: Reduce information returned through user/friend search AJAX calls +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/772160 +Bug: https://bugs.launchpad.net/mahara/+bug/772179 +Last-Update: 2011-05-02 + +--- a/htdocs/json/friendsearch.php ++++ b/htdocs/json/friendsearch.php +@@ -47,6 +47,7 @@ if ($extradata = param_variable('extradata', null)) { + $data = search_user($query, $limit, $offset, array('exclude' => $USER->get('id'))); + $data['query'] = $query; + build_userlist_html($data, $page); ++unset($data['data']); + + json_reply(false, array('data' => $data)); + ?> +--- a/htdocs/json/usersearch.php ++++ b/htdocs/json/usersearch.php +@@ -60,6 +60,10 @@ else { + $data = search_user($query, $limit, $offset, $options); + } + ++foreach ($data['data'] as &$result) { ++ $result = array('id' => $result['id'], 'name' => $result['name']); ++} ++ + json_headers(); + $data['error'] = false; + $data['message'] = false; diff -Nru mahara-1.2.7/debian/patches/CVE-2011-1405.patch mahara-1.2.7/debian/patches/CVE-2011-1405.patch --- mahara-1.2.7/debian/patches/CVE-2011-1405.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.7/debian/patches/CVE-2011-1405.patch 2011-05-10 16:36:47.000000000 +1200 @@ -0,0 +1,28 @@ +Author: Richard Mansfield +Description: Sanitisation of HTML emails +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/772860 +Last-Update: 2011-05-02 + +--- a/htdocs/interaction/forum/lib.php ++++ b/htdocs/interaction/forum/lib.php +@@ -498,7 +498,7 @@ class ActivityTypeInteractionForumNewPost extends ActivityTypePlugin { + } + + $posttime = strftime(get_string('strftimedaydatetime'), $post->ctime); +- $htmlbody = $post->body; ++ $htmlbody = clean_html($post->body); + $textbody = trim(html2text($post->body)); + $postlink = get_config('wwwroot') . 'interaction/forum/topic.php?id=' . $post->topicid . '#post' . $this->postid; + +@@ -525,8 +525,8 @@ class ActivityTypeInteractionForumNewPost extends ActivityTypePlugin { + $unsubscribelink + ); + $user->htmlmessage = get_string_from_language($lang, 'forumposthtmltemplate', 'interaction.forum', +- $post->subject ? $post->subject : get_string_from_language($lang, 're', 'interaction.forum', $post->topicsubject), +- display_name($post->poster, $user), ++ $post->subject ? hsc($post->subject) : get_string_from_language($lang, 're', 'interaction.forum', hsc($post->topicsubject)), ++ hsc(display_name($post->poster, $user)), + $posttime, + $htmlbody, + $postlink, diff -Nru mahara-1.2.7/debian/patches/CVE-2011-1406.patch mahara-1.2.7/debian/patches/CVE-2011-1406.patch --- mahara-1.2.7/debian/patches/CVE-2011-1406.patch 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.7/debian/patches/CVE-2011-1406.patch 2011-05-10 16:36:47.000000000 +1200 @@ -0,0 +1,20 @@ +Author: Ruslan Kabalin +Description: Prevent silent https to http downgrades +Origin: upstream +Bug: https://bugs.launchpad.net/mahara/+bug/685942 +Last-Update: 2011-05-02 + +--- a/htdocs/init.php ++++ b/htdocs/init.php +@@ -188,6 +188,11 @@ if (isset($CFG->httpswwwroot)) { + $CFG->httpswwwroot .= '/'; + } + } ++// Make sure that we are using ssl if wwwroot expects us to do so ++if ((!isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) == 'off') && ++ parse_url($CFG->wwwroot, PHP_URL_SCHEME) === 'https'){ ++ redirect(get_relative_script_path()); ++} + if (!isset($CFG->noreplyaddress) && isset($_SERVER['HTTP_HOST'])) { + $noreplyaddress = 'noreply@'; + $host = (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST']; diff -Nru mahara-1.2.7/debian/patches/series mahara-1.2.7/debian/patches/series --- mahara-1.2.7/debian/patches/series 1970-01-01 12:00:00.000000000 +1200 +++ mahara-1.2.7/debian/patches/series 2011-05-10 16:36:47.000000000 +1200 @@ -0,0 +1,5 @@ +CVE-2011-1402.patch +CVE-2011-1403.patch +CVE-2011-1404.patch +CVE-2011-1405.patch +CVE-2011-1406.patch