Reviewed: https://reviews.mahara.org/1791 Committed: http://gitorious.org/mahara/mahara/commit/ecc08a242be1b23fcb10bc4d96e93da128c3a3d6 Submitter: Melissa Draper (meli...@catalyst.net.nz) Branch: 1.5_STABLE
commit ecc08a242be1b23fcb10bc4d96e93da128c3a3d6 Author: Hugh Davenport <h...@catalyst.net.nz> Date: Tue Oct 16 13:25:56 2012 +1300 Fix Leap2A import from Moodle Related to bug #1047111 That bug fixed the XXE attack by setting the following to true libxml_disable_entity_loader This caused issues with the leap2a importer used by mnet, which used the simplexml_load to load the xml which relies on file based remote entities. For this situation, a the following flag is used, which stops network based XXE attacks LIBXML_NONET Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022 Signed-off-by: Hugh Davenport <h...@catalyst.net.nz> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1047111 Title: XEE possible in mahara Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.4 series: Fix Released Status in Mahara 1.5 series: Fix Released Bug description: There is a security issue with the default XML parser for PHP, where ENTITY fields are loaded and substituted in text parts. This allows possible attackers to read from internal networks, or files readable by the web server user. This includes reading of the config.php file, which contains sensitive information such as the database password, and the password salt field. The fix for this was to include a call to libxml_disable_entity_loader(true) during the initialization of a page. More information can be found at the following: http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html Reported by Mike Haworth. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1047111/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp