** Changed in: mahara/16.10
Status: Confirmed => Fix Committed
** Changed in: mahara/17.04
Status: Confirmed => Fix Committed
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1692749
Title:
User passwords being saved in database event_log as plain text
Status in Mahara:
Fix Committed
Status in Mahara 15.04 series:
Fix Committed
Status in Mahara 16.04 series:
Fix Committed
Status in Mahara 16.10 series:
Fix Committed
Status in Mahara 17.04 series:
Fix Committed
Status in Mahara 17.10 series:
Fix Committed
Bug description:
If you turn full logging for you site via:
Admin -> Configure site -> Logging settings -> Log events
Then whenever a user is created via:
Admin -> Users -> Add user
Admin -> Users -> Add users by CSV
Or in fact any place where we create a user with the create_user()
function we end up calling
handle_event('createuser', $user);
And if the $user object has password set then that is saved to
event_log table
We need to:
1) stop that from happening - in fact only save to event_log only the
bits of objects that make sense rather than everything, eg I notice
that there are a lot of "dirty":true and things who's value is null
(we can assume if key doesn't exist then it would be null rather than
explicitly record that)
2) clean up existing data and at very least remove the saved passwords
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1692749/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
