Mahara 1.2.5

Milestone information

François Marier
Release registered:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
1 Dan Marsden, 1 François Marier, 1 PiersHarding, 3 Richard Mansfield
No blueprints are targeted to this milestone.
6 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon (md5, sig) release tarball 2,316
last downloaded 61 weeks ago
download icon mahara-1.2.5.tar.bz2 (md5, sig) release tarball 324
last downloaded 37 weeks ago
download icon mahara-1.2.5.tar.gz (md5, sig) release tarball 540
last downloaded 61 weeks ago
Total downloads: 3,180

Release notes 

Mahara 1.2.5 Release Notes

This is a major security release of Mahara 1.2. Stable releases are fit
for general use. If you find a bug, please report it to the tracker:

This release includes an upgrade path from 1.0. If you wish to
upgrade, we encourage you to make a copy of your website and test the
upgrade on it first, to minimise the effect of any potential
unforeseen problems.

Changes from 1.2.4:

 * Multiple XSS vulnerabilities (CVE-2010-1667)
 * Multiple CSRF vulnerabilities (CVE-2010-1668)
 * SQL Injection (CVE-2010-1669)
 * Removal of dangerous auth plugin configuration options (CVE-2010-1670)
 * New version of HTML Purifier fixing an IE-only XSS (CVE-2010-2479)
 * Better handling of cron events to avoid sending duplicate emails
 * Fix problems when mime_content_type() is missing
 * Improved detection of https on Windows
 * Set the correct envolope sender for emails sent on cron
 * Set the locale in Mahara instead of in language packs


View the full changelog

Store locale in langconfig; set locale when setting the language (bug #597097)
Waste a bit less time getting current language
Fix view access activity to cope with group views (bug #537492)
Don't allow 'none' authinstances to be used as parent authinstances
Don't allow internal auth users to login unless they have set a password
Add phpmailer README.Mahara file
phpmailer: fix envelope sender for emails sent on cron (see e.g.
lib/htmlpurifier: upgrade to latest upstream version (4.1.1)
Remove activities from the queue before they are handled
Move the transaction to the inner loop
Add missing braces to table names
Check sesskey when adding authinstances with no config form
Check sesskey in non-js view editor actions & before removing blocks
Check session key when closing forum threads or making them sticky
Allow for sesskey, deleted, suspended checks without a pieform object
fix detection of https (Bug #587823)
Cast an ID coming from user data before it hits a query
Escape artefact title & owner name on filtered html page
Run clean_html over summaries in portfolio self search results
Escape file title in filedownload block & group name in file block configuration
Run forum description through clean_html on forum view page
Escape group name & view description on group views page for users who cannot edit views
htmlpurifier: update README.Mahara after 4.1.0 upgrade
htmlpurifier: new upstream release (4.1.0)
Run artefact description through clean_html in blog artefactchooser
Run blog description through clean_html when viewing own blog
Escape user's name on wall page
Run clean_html over group description on group view page
Add a copyright notice which includes an extra permission for linking with OpenSSL
Bug #579762 site disabled for upgrade message fails to appear
auth/saml: add flag to choose matching against remote user or real username
Escape user,institution names on admin notifications page
Escape link text in links & resources menu
Escape author names in views shared/submitted to group lists
Escape group,host names in view submitted message on my views page
Run clean_html over view descriptions on view view page
Run clean_html over view descriptions on my views page
Escape feedback author name
Escape admin's name in masquerade string
Escape institution names on admin user search
Escape lists of institution & group names on user/view page
Pieforms: escape value of 'collapseifone' select element option
Allow cron jobs to create groups with all jointypes
Ensure profile views are imported with logged-in user access
Add author name on feedback from future Mahara leap imports
Warn rather than dying horribly when mime_content_type function is unavailable

0 blueprints and 6 bugs targeted

Bug report Importance Assignee Status
571505 #571505 XSS in HTML purifier 3.0.0 and 4.0.0 2 Critical François Marier  10 Fix Released
556972 #556972 1.2.2->1.2.4 upgrade fails with "Failed to upgrade!" error on core in upgrade.php 3 High Richard Mansfield  10 Fix Released
594891 #594891 Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password 4 Medium Richard Mansfield  10 Fix Released
537492 #537492 Group View Creation Error 1 Undecided Richard Mansfield  10 Fix Released
579762 #579762 site disabled for upgrade message fails to appear 1 Undecided PiersHarding  10 Fix Released
587823 #587823 incorrect https check 1 Undecided Dan Marsden  10 Fix Released
This milestone contains Public information
Everyone can see this information.