Make ajax get_string work for logged-out users
Bug #1476925 reported by
Aaron Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Aaron Wells | ||
15.10 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
With Bug #1450995 We added a "get_string_ajax()" javascript method which lets you load up Mahara language strings using Ajax, after the page is done loading.
However, it only works for logged-in users. I think eventually this is going to cause us some problems, because we're going to forget about that limitation and use this method for some action which is also accessible to logged-out users. So in the long run it's probably best to make it work the same whether you're logged in or logged out.
Changed in mahara: | |
status: | In Progress → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
We had a discussion about whether there would be any additional security risk in making this action accessible to logged-out users. I think it would be safe. Here's my analysis:
1. The "section" argument is used as a portion of a filename, but it's limited to specific directories and filtered to the characters [-_.A-Za-z0-9], and the filename will have ".php" added to the end, so that's pretty safe.
2. You can use a parameterized string to generate an arbitrary JSON response, (i.e. https:/ /vegas. wgtn.cat- it.co.nz/ mahara/ htdocs/ lang/get_ string. php?section= mahara& string= deletespecific& args[]= %3Cscript% 20type= %22text/ javascript% 22%3Ealert% 28%27hey! %27%29% 3C/script% 3E ), but the response header has "Content-Type: application/json", so the browser won't parse any HTML or Javascript in the response if you hit it directly. So that's pretty safe.
So in the end, it seems like the biggest risk here, is that you could use this string to find out the value of every language string in the site. The only scenario I can think of where that would cause a problem, is if a site is using custom language strings, and putting sensitive data into them. Like "Welcome to Wells University! Remember, everyone's default password is "password123"!".
But that seems like a really bad idea anyway, so I don't think it's a scenario we need to worry about too much.