** Changed in: mahara/19.10
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1889485
Title:
Security Upgrade SimpleSAML 1.18.4 to 1.18.7
Status in Mahara:
Fix Committed
Status in Mahara 19.04 series:
Fix Released
Status in Mahara 19.10 series:
Fix Released
Status in Mahara 20.04 series:
In Progress
Status in Mahara 20.10 series:
Fix Committed
Bug description:
From https://simplesamlphp.org/security/202004-01:
Date
April 03, 2020
Affected versions
SimpleSAMLphp 1.18.5 and older
Severity
Low
Background
The module controller in SimpleSAML\Module that processes requests for pages
hosted by modules, has code to identify paths ending with .php and process
those as PHP code. If no other suitable way of handling the given path exists
it presents the file to the browser.
Description
The check to identify paths ending with .php does not account for uppercase
letters. If someone requests a path ending with e.g. .PHP and the server is
serving the code from a case-insensitive file system, such as on Windows, the
processing of the PHP code does not occur, and the source code is instead
presented to the browser.
Affected versions
SimpleSAMLphp versions 1.18.5 and older.
We will upgrade to version 1.18.7
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1889485/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
