Mahara

User autocomplete selector in Mail composer not escaping the name

Bug #1719472 reported by Robert Lyon on 2017-09-25

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Robert Lyon	Mahara 17.10.0
16.04	Fix Released	High	Unassigned	Mahara 16.04.9
16.10	Fix Released	High	Unassigned	Mahara 16.10.6
17.04	Fix Released	High	Unassigned	Mahara 17.04.4
17.10	Fix Released	High	Robert Lyon	Mahara 17.10.0

Bug Description

This means that a user can set a bad name and compromise another user

To reproduce:

*) Login as "user1"
*) Click on "Main menu" - "Content" - "Profile" - "About me"
*) Insert at "First name" or "Last name" or "Display name":

*) Save with "Save profile"

*) Click on "User menu" - "0 unread" - "Compose"
*) Send a message to another user, for example:

Recipients: user2
Subject: Hello
Message: Please reply

*) Send the message with "Send message"
*) Logout as "user1"

*) Login as "user2"
*) Open the received message in the dashboard ("Inbox")
*) Click on "Reply"
*) The alert dialog appears

To fix:
Normally when we show a user's name to screen we filter it via hsc()
But in this case the name is being fetched by the autocomplete pieform element via the translate_ids_to_names() function without being escaped.

So we need to escape it before returning the name

Revision history for this message

Robert Lyon (robertl-9) wrote on 2017-09-25:

Patch for this
https://reviews.mahara.org/#/c/8054/

Kristina Hoeppner (kris-hoeppner) on 2017-10-30

information type:

Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-30: A change has been merged

Reviewed: https://reviews.mahara.org/8208
Committed: https://git.mahara.org/mahara/mahara/commit/13fa6facb342b7a58df517f7d59ba396c1863b94
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 13fa6facb342b7a58df517f7d59ba396c1863b94
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-30:

Reviewed: https://reviews.mahara.org/8207
Committed: https://git.mahara.org/mahara/mahara/commit/fa531905b49096f071351e4381e42660f48944d5
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit fa531905b49096f071351e4381e42660f48944d5
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2017-10-30:

Reviewed: https://reviews.mahara.org/8206
Committed: https://git.mahara.org/mahara/mahara/commit/a99dbced72c6fd76d0589bcac6e4af8db330c4bd
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit a99dbced72c6fd76d0589bcac6e4af8db330c4bd
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.