[Mahara-contributors] [Bug 1542154] A patch has been submitted for review
Patch for "master" branch: https://reviews.mahara.org/8265 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1542154 Title: upgrade pdfjs to 1.8.188 Status in Mahara: Confirmed Bug description: Need to keep this current To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1542154/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
Re: [Mahara-contributors] [Bug 1363873] Re: Session Management Issue- Session is not invalidating after password change
Is the CVE I'd confirmed for this? Is this CVE ID allocated to me? On Nov 8, 2017 9:24 AM, "Kristina Hoeppner" <1363...@bugs.launchpad.net> wrote: > ** CVE added: https://cve.mitre.org/cgi- > bin/cvename.cgi?name=2017-1000136 > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1363873 > > Title: > Session Management Issue- Session is not invalidating after password > change > > Status in Mahara: > Fix Released > Status in Mahara 1.10 series: > Fix Released > Status in Mahara 1.8 series: > Fix Released > Status in Mahara 1.9 series: > Fix Released > Status in Mahara 15.04 series: > Fix Released > > Bug description: > Hi Security Team, > > I have discovered the session management issue on the domain > https://mahara.org/ > > Description of the issue- > > The application does not invalidate the previous session once the > password is changed by the legitimate user. > > How to reproduce?- > > 1. Login in the application using https://mahara.org/ and login into > the application. > 2. Lets assume application user's account is compromised so he wants to > change his password, he will navigate to forgot password page and will > change his password. > 3. Application user is able to change his password but it was observed > that still the previous session was not invalidated and i was actually able > to browse the application from both the sessions. > > Impact- If the application user's account is compromised, he will simply > change his password but if the previous session is not invalidated there is > no use of changing the password. > Please let me know if you need video PoC for this. > > Remediation- Invalidate the previous session once the password has > been changed and enforce the application user to relogin in the > application. > > Thanks and Regards, > Abhishek Dashora > > To manage notifications about this bug go to: > https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions > -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1363873 Title: Session Management Issue- Session is not invalidating after password change Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Hi Security Team, I have discovered the session management issue on the domain https://mahara.org/ Description of the issue- The application does not invalidate the previous session once the password is changed by the legitimate user. How to reproduce?- 1. Login in the application using https://mahara.org/ and login into the application. 2. Lets assume application user's account is compromised so he wants to change his password, he will navigate to forgot password page and will change his password. 3. Application user is able to change his password but it was observed that still the previous session was not invalidated and i was actually able to browse the application from both the sessions. Impact- If the application user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password. Please let me know if you need video PoC for this. Remediation- Invalidate the previous session once the password has been changed and enforce the application user to relogin in the application. Thanks and Regards, Abhishek Dashora To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1234615] Re: Not checking artefact permissions before exporting
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000133 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1234615 Title: Not checking artefact permissions before exporting Status in Mahara: Fix Released Status in Mahara 1.10 series: Won't Fix Status in Mahara 1.9 series: Won't Fix Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Status in Mahara 16.04 series: Fix Released Status in Mahara 16.10 series: Fix Released Bug description: In https://bugs.launchpad.net/bugs/1211758 , the reporter mentioned that in addition to embedding other users' artefacts in your pages, you could export them to view their full content: #3: Export function allows arbitrary file download Using the technique above you can get a 1024x1024 'thumbnail' of any users arbitrary file. Simply use the export function on a page like the one above where other users images are embedded. Make sure the embedded images max-size is set to 1024 and it will appear within /files/extra. There is an obvious fix for this issue, of checking $USER->can_publish_artefac()t or $USER->can_view_artefact() on each artefact before exporting it. But when Robert tested this fix, he found that it was too resource-intensive (as part of the already resource-intensive export process) for it to work while exporting an average-sized portfolio. Since fixing the embedding of other users' data mitigates the risk from this issue and was easier to accomplish, I've released that fix and spun this one off into a separate bug to fix when we're able. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1234615/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1267686] Re: Group member can't access their own group file
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000134 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1267686 Title: Group member can't access their own group file Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: I have a group, 'Group1' that has some members I log in as Member A, upload an image file to a group files and makes sure the role perms are all ticked for the file. I then log out and log in as Member B and I can un-tick the member and tutor options for that file. On saving I can't see the file, which is correct. I then log out and in as Member A again. I can see the file listed in group files list but without the image icon and when I click on the filename I get Access denied message. It will also stop me from being able to download the file when using a 'Files to download' block Conversely, the image will display in a image gallery block even for other members, who are not allowed to view image file. As Member A I can edit the file and re-tick the member role boxes to get proper access back - but is a bit of a pain if I have many files and another member has removed member role permissions. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1267686/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1348024] Re: users can stay logged into suspended institution
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000135 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1348024 Title: users can stay logged into suspended institution Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: If a user does not use their own institution's auth method then user only belonging to a suspended institution can still log in. Scenario: - Create an institution called 'testone' with the auth method internal mahara - Add a user to it (so that the user is only in this institution and no others) - Update the user auth method to be another internal one - suspend the institution - log out and then in as user - can get in because the auth method is paired to 'mahara' institution Another problem: Same as above but have the user using the institutions auth method - this time one gets a warning about the institution being suspended, which is good but also gets the top menu and is actually logged in/can navigate about. What needs to be done: 1) when an institution is suspended make sure all users that only belong to this institution have a valid usr.authinstance value and if they don't give them one. 2) when they are trying to log in to their suspended institution actually deny them properly. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1348024/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1190788] Re: Can cause arbitrary SWF files to execute in the browser
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000132 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1190788 Title: Can cause arbitrary SWF files to execute in the browser Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Subject:Found Critical XSS Vulnerability on Your System Hello, I found a really critical XSS (Cross Site Scripting) vulnerability on mahara.org. The vulnerability works as follows: 1) I opened the demo account on Mahara and logged in the admin account by using the link "http://demo.mahara.org/";. 2) Then I clicked admin avatar picture to go to user details page. 3) After that I clicked "edit this page" button. 4) Then I dragged "File(s) to Download image to About me section of the page. 5) I created a .swf file that contains ActionScript codes. I also attached that file to this email. 6) I uploaded that XSS.swf file. 7) When I open XSS.swf file on browser, I saw the alert message showing SOLVER (my nickname) 8) Example script: http://demo.mahara.org/artefact/file/download.php?file=247 By using this XSS vulnerability, an attacker can steal Mahara users' cookies, and their accounts. Furthermore, the attacker can redirect users to a harmful website that contains trojan horse, malware or a JavaScript downloader to get full access on the users' computers. This issue can get bigger by using a XSS Worm, and influence even some other Mahara product users. As a simple solution, the content of the file that is about to be uploaded should be checked against harmful scripts and codes. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1190788/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1363873] Re: Session Management Issue- Session is not invalidating after password change
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000136 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1363873 Title: Session Management Issue- Session is not invalidating after password change Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Hi Security Team, I have discovered the session management issue on the domain https://mahara.org/ Description of the issue- The application does not invalidate the previous session once the password is changed by the legitimate user. How to reproduce?- 1. Login in the application using https://mahara.org/ and login into the application. 2. Lets assume application user's account is compromised so he wants to change his password, he will navigate to forgot password page and will change his password. 3. Application user is able to change his password but it was observed that still the previous session was not invalidated and i was actually able to browse the application from both the sessions. Impact- If the application user's account is compromised, he will simply change his password but if the previous session is not invalidated there is no use of changing the password. Please let me know if you need video PoC for this. Remediation- Invalidate the previous session once the password has been changed and enforce the application user to relogin in the application. Thanks and Regards, Abhishek Dashora To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1375092] Re: XSS in page content editor
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000137 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1375092 Title: XSS in page content editor Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Steps to reproduce in master: 1. Create a page 2. Click "Text box" in the content editor 3. Enter "alert(1);" without the quotes in the "Block title" and save the block 4. Click "Text box" in the content editor again. (Note: do not drag/drop a text box, only happens if you click) What happens: An alert is popped up on the page. What should happen: Alert should not be shown. Proposed fix is attached as a patch. Note that while the attached patch fixes it for me there are other references to h2.title in that file, so you might want to confirm that this fixes it properly. Simon To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1375092/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1377736] Re: XSS Vulnerability adding pages into a collection
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000138 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1377736 Title: XSS Vulnerability adding pages into a collection Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Version: master (1.10) Platform, browser: any Steps to reproduce: 1. Create a page with the title "alert(1);" without the quote 2. Create a collection 3. Add the page into the collection by dragging it. You will the the alert pop-up window. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1377736/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1397736] Re: Use SafeCURL in external RSS block
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000139 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1397736 Title: Use SafeCURL in external RSS block Status in Mahara: Won't Fix Status in Mahara 1.10 series: Won't Fix Status in Mahara 15.04 series: Won't Fix Status in Mahara 15.10 series: Won't Fix Status in Mahara 16.04 series: Won't Fix Status in Mahara 16.10 series: Won't Fix Bug description: For better security in the external RSS feed block, we should be using a library like SafeCURL to help guard against attacks.: https://github.com/fin1te/safecurl See also bug 1394820 To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1397736/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1404117] Re: XSS via uploaded XML
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000140 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1404117 Title: XSS via uploaded XML Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Reported by Roman Mironov Dear Sir/Madam, I have found a security vulnerability and would like to disclose it to you. An attacker can use this vulnerability to initiate stored Cross-Site scripting attacks on authenticated users. Bug Description: It is possible to upload .xml files with malicious code and then share them with users. As proof of concept it was possible to share a file between accounts that redirects the user to google.com. In order to reproduce this proof of concept please follow these steps: Preconditions: 1) Ensure you have 2 accounts (user A and user B) that have access to each others Journal entries. 2) Create an .xml file that has the following line of code: http://www.w3.org/1999/xhtml";>document.location='http://google.com'; Steps to Reproduce: 1) Log-in as user A. 2) Navigate to /artefact/internal/index.php and select Journal on the Navigation block. 3) Press the 'New Entry' button. 4) Enter any Title and Entry text. 5) Add the previously created .xml file as an attachment and press 'Save Entry'. 6) Log-in as user B. 7) Navigate to user A profile page. 8) Find the previously created Journal entry and press the 'Download' button next to the .xml file name. 9) Observe that you are redirected to google. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1404117/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1429647] Re: Watchlist lets you watch and receive notifications about pages you don't have view access to
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000143 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1429647 Title: Watchlist lets you watch and receive notifications about pages you don't have view access to Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: In analyzing watchlist bug 1429505 (pages stay on your watchlist even if you lose access to them) I noticed a couple of things in the code: 1. You apparently still can receive watchlist notifications about pages on your watchlist which you don't have access to. 2. There are no access control checks in togglewatchlist.json.php, so it is apparently possible to add a page to your watchlist even if you don't have access to it. Together, these bugs mean that a user could watch private pages, and receive notifications about changes to those pages. While these notifications would not contain the actual page content, they would contain the title of the page and the names of blocks and/or artefacts changed in the page. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1429647/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1425306] Re: Users can delete submitted page through URL
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000142 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1425306 Title: Users can delete submitted page through URL Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Bug description: To reproduce: - Create a page - Submit it to a group - Check that there is no 'Delete' button on 'Pages' web-page for this page - Find out page ID (through page view URL) - Go to YOURSITE/view/delete.php?id=XXX where XXX is page ID - See that you can easily delete a page To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1425306/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1447377] Re: Stored XSS in user reports access lists, and shared tabs for user/group/institution
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000144 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1447377 Title: Stored XSS in user reports access lists, and shared tabs for user/group/institution Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: This one requires a malicious institution admin, but could still result in privilege escalation to full admin. Steps to reproduce: - As admin, create a new institution, and a new user with admin rights in that institution - Log in as new institution admin, change name of institution to "alert(1);" - Add some new users to the institution, their profile pages will automatically be shared with the institution - If full admin runs a user report on that new user now, and views access list, they will see the XSS - If a user shares a page with this institution, then views "Shared by me", then it will trigger - If a group shares a page ..., it will trigger - If a institution shares a page ..., it will trigger (can be a different institution, just have to be in same institution to be able to share with it (or it is searchable?)). Mainly low risk, as doesn't gain privilege, but the full admin may view access list report of all users legitimately, so that makes it critical as privilege escalation is possible (walled gardens setups where lots of institution admins, and they aren't full admins). Patch to come. Cheers, Hugh To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1447377/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1724743] Re: SAML metadata page shouldn't redirect to main page when a site is in maintenance mode
** Changed in: mahara Assignee: (unassigned) => Cecilia Vela Gurovic (ceciliavg) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1724743 Title: SAML metadata page shouldn't redirect to main page when a site is in maintenance mode Status in Mahara: Confirmed Bug description: SAML metadata page /auth/saml/sp/metadata.php shouldn't redirect to main page when a site is in maintenance mode. Ideally, it should send 503 HTTP response to let systems who read the metadata know, that the file is not accessible. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1724743/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1542154] Re: upgrade pdfjs to 1.8.188
** Changed in: mahara Assignee: (unassigned) => Cecilia Vela Gurovic (ceciliavg) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1542154 Title: upgrade pdfjs to 1.8.188 Status in Mahara: Confirmed Bug description: Need to keep this current To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1542154/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1724603] Re: update_hierarchy_path in artefacts/lib.php hammers sql when copying collections
** Changed in: mahara
Assignee: Cecilia Vela Gurovic (ceciliavg) => (unassigned)
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1724603
Title:
update_hierarchy_path in artefacts/lib.php hammers sql when copying
collections
Status in Mahara:
Confirmed
Bug description:
A teacher asked 40 students to copy a 15 page collection with numerous
artefacts on each page, which crippled our mysql server.
When testing it, even copying the collection once resulted in the web
server timing out and raised the sql load incredibly.
The code "update_hierarchy_path" in the artefact/lib.php on line 1423
runs an sql query as below:
`$sql = "UPDATE {artefact} SET path = ? || SUBSTR(path, ?) WHERE
(path = ? OR path LIKE ? )";`
The artefact table in Mahara does not index the `path` column, so
whilst updating one artefact is not a major issue, but updating the
path column for many artefacts hits the database massively.
Indexing the path column (which is 1024 bytes) may not be a good
solution long term, but either the query needs to be made more
efficient or the column indexed.
Mahara version 17.04_STABLE (updated about a month ago)
Linux RHEL7
MYSQL 5.6
Browser is current chromium Version 61.0.3163.100 (but that is not relevant)
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1724603/+subscriptions
___
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
