[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
Important note:
The patch for this problem only patches the issues in the core code - if
your site is using custom themes you will need to check that they are
not disclosing the minor version number.
To check if you need to make adjustments first search for this string:
v={$RELEASE}
If it exists in your code anywhere (most likely in
theme/[yourthemename]/templates/header/head.tpl) then you will need to
change it to:
v={$CACHEVERSION}
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1384481
Title:
Minor version number displayed in JS, CSS links
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.10 series:
Fix Released
Status in Mahara 1.8 series:
Fix Released
Status in Mahara 1.9 series:
Fix Released
Status in Mahara 15.04 series:
Fix Committed
Bug description:
We made a conscious decision, for security reasons, not to display the
Mahara minor version number on the footer of every page, except to
Mahara admins.
However, in bug 1214124 we then added the minor version number to
every stylesheet and Javascript URL, which makes it trivially easy to
find. You just look at the source code, and look for style.css:
https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";>
We should replace this with an arbitrary integer stored in a config
variable, which gets incremented whenever we upgrade the site. This
would have the added (minor) benefit that you could then force a
reloading of all the assets without incrementing the major version
number, by simplying increasing this integer.
Only low importance, because a hacker could probably infer the Mahara
version number anyway, by looking at changes in the site's behavior.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions
___
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/1.9 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/1.8 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/1.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/1.8 Milestone: None => 1.8.6 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-8692 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/1.9 Status: In Progress => Fix Committed ** Changed in: mahara/15.04 Status: In Progress => Fix Committed ** Changed in: mahara/1.10 Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
I uploaded a patch for master, 1.10_STABLE, and 1.9_STABLE, which will fix the problem with cacheversion getting wiped during upgrade: https://reviews.mahara.org/#/q/I14a61c08229de51f8e0bb25aa12c42826f2f1639,n,z (Not needed in 1.8_STABLE, since there's no earlier version of Mahara with $CFG->cacheversion.) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: In Progress Status in Mahara 15.04 series: In Progress Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: In Progress Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: In Progress Status in Mahara 15.04 series: In Progress Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/15.04 Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Confirmed Status in Mahara 1.8 series: Confirmed Status in Mahara 1.9 series: Confirmed Status in Mahara 15.04 series: Fix Committed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1384481] Re: Minor version number displayed in JS, CSS links
** Changed in: mahara/1.10 Importance: Medium => Low ** Changed in: mahara/1.8 Importance: Medium => Low ** Changed in: mahara/1.11 Importance: Medium => Low ** Changed in: mahara/1.9 Importance: Medium => Low ** Description changed: We made a conscious decision not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: - https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. - Only medium importance, because a dedicated hacker could probably infer - the Mahara version number anyway, by looking at changes in the site's - behavior. + Only low importance, because a hacker could probably infer the Mahara + version number anyway, by looking at changes in the site's behavior. ** Information type changed from Private Security to Public Security ** Description changed: - We made a conscious decision not to display the Mahara minor version - number on the footer of every page, except to Mahara admins. + We made a conscious decision, for security reasons, not to display the + Mahara minor version number on the footer of every page, except to + Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384481 Title: Minor version number displayed in JS, CSS links Status in Mahara ePortfolio: In Progress Status in Mahara 1.10 series: Confirmed Status in Mahara 1.11 series: In Progress Status in Mahara 1.8 series: Confirmed Status in Mahara 1.9 series: Confirmed Bug description: We made a conscious decision, for security reasons, not to display the Mahara minor version number on the footer of every page, except to Mahara admins. However, in bug 1214124 we then added the minor version number to every stylesheet and Javascript URL, which makes it trivially easy to find. You just look at the source code, and look for style.css: https://mahara.org/theme/raw/static/style/style.css?v=1.9.3";> We should replace this with an arbitrary integer stored in a config variable, which gets incremented whenever we upgrade the site. This would have the added (minor) benefit that you could then force a reloading of all the assets without incrementing the major version number, by simplying increasing this integer. Only low importance, because a hacker could probably infer the Mahara version number anyway, by looking at changes in the site's behavior. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384481/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
