Mahara 1.4.1

Milestone information

François Marier
Release registered:
No. Drivers cannot target bugs and blueprints to this milestone.  

Download RDF metadata


Assigned to you:
No blueprints or bugs assigned to you.
1 Andrew Nicols, 1 Darryl Hamilton, 1 Eugene, 1 François Marier, 4 Hugh Davenport, 1 Iñaki Arenaza, 4 Melissa Draper, 10 Richard Mansfield, 2 Ruslan Kabalin
No blueprints are targeted to this milestone.
25 Fix Released

Download files for this release

After you've downloaded a file, you can verify its authenticity using its MD5 sum or signature. (How do I verify a download?)

File Description Downloads
download icon (md5, sig) release tarball 5,442
last downloaded 32 weeks ago
download icon mahara-1.4.1.tar.bz2 (md5, sig) release tarball 516
last downloaded 10 weeks ago
download icon mahara-1.4.1.tar.gz (md5, sig) release tarball 992
last downloaded 82 weeks ago
Total downloads: 6,950

Release notes 

Mahara 1.4.1 Release Notes

This is a stable release of Mahara 1.4. Stable releases are fit for
general use. If you find a bug, please report it to the tracker:

This release includes an upgrade path from 1.0. If you wish to
upgrade, we encourage you to make a copy of your website and test the
upgrade on it first, to minimise the effect of any potential
unforeseen problems.

Changes from 1.4.0:

 * XSS in unvalidated URI attributes (CVE-2011-2771)
 * Information disclosure exposing private messages (CVE-2011-2774)
 * DoS via invalid or excessively large images (CVE-2011-2773)
 * CSRF to trick admins into adding a user to an institution (CVE-2011-2773)
 * Fix broken links on export page
 * Fix problems with blog, plan and comment pagination, and comment deletion
 * Fix embedding issues with google docs and multimedia content
 * Fix issues preventing tinymce and pieforms javascript loading for text areas
 * Fix fatal errors for collections and image galleries
 * Fix issues with settings for search plugin and mail preferences
 * Ensure that bulk imported users are forced to change passwords


View the full changelog

Remove unreachable addtoinstitution.php script (bug #800032)
Add sanitize_url() and apply to XSS vulns in rss parser
Fix messaging privelege escalation (bug #798128)
Estimate memory usage before resizing images (bug #784978)
Prevent masquerading users from jumping as others
Eval js to rewrite task titles after block configuration (bug #845534)
Use function to process get_instance_config_javascript js (bug #845534)
Fix group shortnames in share with group buttons (bug #881681)
Fix fatal error in gallery on public profiles (bug #872672)
Update the GoogleApps help file for new interface
Add another new google doc url formats (bug #856130)
Fix maildisbled preference in activity_get_users (bug #860090)
Fix the spreadsheet filter again (bug #843588)
Update flowplayer code to fix the mp3 player in ie7/8 (Bug #804129)
Fix group view blocktype copy page feature.
Add new docs filter for different spreadsheet url (bug #843588)
Respect changepassword setting for newly created users
Check for existence of tinymce translations (bug #817836)
Json-encode strings included in viewacl javascript (bug #817342)
Call to table_exists() uses an XMLDBTable instance
Allow editing of pages with misconfigured navigation block (bug #813204)
textarea.js:fix IE js bug caused by trailing comma
Save search plugin site option (bug #809228)
file_mime_type: increase use of hardcoded magic file (bug #809216)
Remove remaining tinymce autoresize references
Fix overzealous caching of site language
Fix group views blocktype copy page feature
Fix collections edit form to allow setting no navigation
Fix comment deletion bug (bug #803247)
Port minaccept changes to 1.4_STABLE
Fix bug with pagination on journals page

0 blueprints and 25 bugs targeted

Bug report Importance Assignee Status
798128 #798128 All private messages were accessible by wrong users 2 Critical Ruslan Kabalin  10 Fix Released
784978 #784978 Potential DoS attack by running large images through GD 3 High Richard Mansfield  10 Fix Released
798136 #798136 XSS in URI attributes in the externalfeed block 3 High Melissa Draper  10 Fix Released
800032 #800032 Session key not checked in admin/users/addtoinstitution.php 3 High Richard Mansfield  10 Fix Released
800373 #800373 "copy this page" in group is linked incorrectly 3 High Hugh Davenport  10 Fix Released
803247 #803247 Deleting a comment in a group view always deletes the first one 3 High Darryl Hamilton  10 Fix Released
804129 #804129 Embedded mp3 file not loading in IE in v1.4 3 High Melissa Draper  10 Fix Released
812066 #812066 Textarea JS error in IE 3 High Eugene  10 Fix Released
884223 #884223 Administrators masquerading as other users can jump to remote XMLRPC applications as that other user 3 High Andrew Nicols  10 Fix Released
784326 #784326 adding a collection with "Page navigation bar" unchecked throws exception 4 Medium Hugh Davenport  10 Fix Released
787123 #787123 static $lang in mahara.php 4 Medium Richard Mansfield  10 Fix Released
795425 #795425 View comments pagination misbehaviour in Chrome 4 Medium Hugh Davenport  10 Fix Released
800575 #800575 blogs not shown correctly past page 1 4 Medium Hugh Davenport  10 Fix Released
809216 #809216 When uploading a .flv using IE, the mimetype isn't set correctly 4 Medium François Marier  10 Fix Released
809228 #809228 Search plugin setting not saved 4 Medium Ruslan Kabalin  10 Fix Released
813204 #813204 Cannot edit a page with a navigation block pointing at a deleted collection 4 Medium Richard Mansfield  10 Fix Released
817342 #817342 Unencoded strings included in viewacl javascript 4 Medium Richard Mansfield  10 Fix Released
817836 #817836 tinymce fails to load when current language unavailable 4 Medium Richard Mansfield  10 Fix Released
832374 #832374 Manually added users or bulk imported users are not forced to change their password 4 Medium Iñaki Arenaza  10 Fix Released
843588 #843588 Google spreadsheet can't be embedded 4 Medium Melissa Draper  10 Fix Released
845534 #845534 Plans title link not working 4 Medium Richard Mansfield  10 Fix Released
856130 #856130 googledocs block doesnt like link from google docs 4 Medium Melissa Draper  10 Fix Released
860090 #860090 Maildisabled preference not respected in activity notifications 4 Medium Richard Mansfield  10 Fix Released
872672 #872672 Fatal error in image gallery on public profiles 4 Medium Richard Mansfield  10 Fix Released
881681 #881681 Share with group buttons show wrong text when shortened 4 Medium Richard Mansfield  10 Fix Released
This milestone contains Public information
Everyone can see this information.