We had a discussion about whether there would be any additional security risk in making this action accessible to logged-out users. I think it would be safe. Here's my analysis:
1. The "section" argument is used as a portion of a filename, but it's limited to specific directories and filtered to the characters [-_.A-Za-z0-9], and the filename will have ".php" added to the end, so that's pretty safe. 2. You can use a parameterized string to generate an arbitrary JSON response, (i.e. https://vegas.wgtn.cat- it.co.nz/mahara/htdocs/lang/get_string.php?section=mahara&string=deletespecific&args[]=%3Cscript%20type=%22text/javascript%22%3Ealert%28%27hey!%27%29%3C/script%3E ), but the response header has "Content-Type: application/json", so the browser won't parse any HTML or Javascript in the response if you hit it directly. So that's pretty safe. So in the end, it seems like the biggest risk here, is that you could use this string to find out the value of every language string in the site. The only scenario I can think of where that would cause a problem, is if a site is using custom language strings, and putting sensitive data into them. Like "Welcome to Wells University! Remember, everyone's default password is "password123"!". But that seems like a really bad idea anyway, so I don't think it's a scenario we need to worry about too much. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1476925 Title: Make ajax get_string work for logged-out users Status in Mahara: In Progress Bug description: With Bug #1450995 We added a "get_string_ajax()" javascript method which lets you load up Mahara language strings using Ajax, after the page is done loading. However, it only works for logged-in users. I think eventually this is going to cause us some problems, because we're going to forget about that limitation and use this method for some action which is also accessible to logged-out users. So in the long run it's probably best to make it work the same whether you're logged in or logged out. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1476925/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
