Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.2.2
    • Fix Version/s: 2.3
    • Component/s: General
    • Labels:
    • Testing Instructions:
      Hide

      1/ $CFG->cachejs = 1; $CFG->themedesignermode = 0;
      2/ reset caches
      3/ verify JS still works and CSS did not change (for example watch JS console and compare screenshots)

      Show
      1/ $CFG->cachejs = 1; $CFG->themedesignermode = 0; 2/ reset caches 3/ verify JS still works and CSS did not change (for example watch JS console and compare screenshots)
    • Affected Branches:
      MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_23_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      w12_MDL-32050_m23_minify
    • Rank:
      38735

      Description

      Minify 2.1.5 is now available. Here is the change log:

      http://code.google.com/p/minify/wiki/History

      The most important fix is a security fix: Removed XSS vulnerability

      2.1.5 also offers some performance improvements. This should be integrated ASAP due to the XSS vulnerability fix.

      Also, I believe Moodle 2.1.3 is integrated with Moodle 2, so the fixes for Version 2.1.4b are also applicable.

        Issue Links

          Activity

          Hide
          Petr Škoda added a comment -

          I did not find any explanation of the XSS, judging from the recent commits it may be related to the builder which was in default install enabled by default BUT I intentionally disabled its execution in moodle which would make us not vulnerable

          I am going to try to contact the author later today...

          Show
          Petr Škoda added a comment - I did not find any explanation of the XSS, judging from the recent commits it may be related to the builder which was in default install enabled by default BUT I intentionally disabled its execution in moodle which would make us not vulnerable I am going to try to contact the author later today...
          Hide
          Ryan Smith added a comment -

          Thank you for checking Petr. I was not sure if Moodle was affected, but as soon as I saw there was an XSS vulnerability I decided to report it.

          Show
          Ryan Smith added a comment - Thank you for checking Petr. I was not sure if Moodle was affected, but as soon as I saw there was an XSS vulnerability I decided to report it.
          Hide
          Petr Škoda added a comment -

          thanks a lot for bringing this forward!

          Show
          Petr Škoda added a comment - thanks a lot for bringing this forward!
          Hide
          Jonathan Champ added a comment -

          Also note that this version fixes issues where zero byte files were being served as the "cached" version as a result of a failed LOCK_EX. This caused us issues with essential application JavaScript (e.g. the file chooser) not being served.

          Show
          Jonathan Champ added a comment - Also note that this version fixes issues where zero byte files were being served as the "cached" version as a result of a failed LOCK_EX. This caused us issues with essential application JavaScript (e.g. the file chooser) not being served.
          Hide
          Andrew Nicols added a comment -

          MDL-29864 includes a patch to Minify which should already be included in version 2.1.5 of Minify, but it maybe worth re-running the test instructions to check for regressions.

          Show
          Andrew Nicols added a comment - MDL-29864 includes a patch to Minify which should already be included in version 2.1.5 of Minify, but it maybe worth re-running the test instructions to check for regressions.
          Hide
          Petr Škoda added a comment -

          Steve confirmed that minify in Moodle 2.x is not affected by the XSS problem mentioned in HISTORY.txt

          I am going to prepare pull request (master only) for the next integration cycle, it will also include new setting for disabling of file locking (to be used for minify, future locking in string manager and themes, prevention of file based sessions, etc.). If enough people test it it might be considered for backporting to MOODLE_22_STABLE.

          Thanks everybody for cooperation.

          Show
          Petr Škoda added a comment - Steve confirmed that minify in Moodle 2.x is not affected by the XSS problem mentioned in HISTORY.txt I am going to prepare pull request (master only) for the next integration cycle, it will also include new setting for disabling of file locking (to be used for minify, future locking in string manager and themes, prevention of file based sessions, etc.). If enough people test it it might be considered for backporting to MOODLE_22_STABLE. Thanks everybody for cooperation.
          Hide
          Sam Hemelryk added a comment -

          Thanks all, minify upgrade has now been integrated.

          Show
          Sam Hemelryk added a comment - Thanks all, minify upgrade has now been integrated.
          Hide
          Jason Fowler added a comment -

          Fix works fine, thanks Petr

          Show
          Jason Fowler added a comment - Fix works fine, thanks Petr
          Hide
          Sam Hemelryk added a comment -

          Congratulations are in order, you've made it, or at least your code has!
          It's now part of Moodle and both the git and cvs repositories have been updated.

          This issue is being marked as fixed and closed.

          Thank you.

          Show
          Sam Hemelryk added a comment - Congratulations are in order, you've made it, or at least your code has! It's now part of Moodle and both the git and cvs repositories have been updated. This issue is being marked as fixed and closed. Thank you.

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: