From 79eca380f6cdb14b418475fa8872662fa46efad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Fri, 3 Jun 2022 14:58:32 +0200 Subject: [PATCH 1/4] security: apply logout redirect security patch --- CHANGELOG.md | 1 + tutor/templates/build/openedx/Dockerfile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d57dc9..4170d26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ Every user-facing change should have an entry in this changelog. Please respect ## Unreleased +- [Security] Apply logout redirect url security fix. (by @regisb) - [Feature] Make it possible to force the rendering of a given template, even when the template path matches an ignore pattern. (by @regisb) - 💥[Fix] Get rid of the `tutor config render` command, which is useless now that themes can be implemented as plugins. (by @regisb) diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile index f19cfaa..906ca70 100644 --- a/tutor/templates/build/openedx/Dockerfile +++ b/tutor/templates/build/openedx/Dockerfile @@ -56,6 +56,9 @@ RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ 3b985f207853 # Rate limiting security fix # https://github.com/overhangio/edx-platform/tree/overhangio/sec-rate-limiting RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ b5723e416e628cac4fa84392ca13e1b72817674f && git cherry-pick b5723e416e628cac4fa84392ca13e1b72817674f +# Logout redirect security fix +# https://github.com/overhangio/edx-platform/tree/overhangio/sec-fix-logout-redirect-vulnerability +RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ 08d8504224e3a3e728a0f264749e1b585e21b871 && git cherry-pick 08d8504224e3a3e728a0f264749e1b585e21b871 {%- endif %} {# Example: RUN git fetch --depth=2 https://github.com/openedx/edx-platform && git cherry-pick #} From f9b42280337be937fe080b7918b42f759a4c4010 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Fri, 3 Jun 2022 15:00:03 +0200 Subject: [PATCH 2/4] v13.3.0 (2022-06-03) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - [Security] Apply logout redirect url security fix. (by @regisb) - [Feature] Make it possible to force the rendering of a given template, even when the template path matches an ignore pattern. (by @regisb) - 💥[Fix] Get rid of the `tutor config render` command, which is useless now that themes can be implemented as plugins. (by @regisb) --- CHANGELOG.md | 2 ++ tutor/__about__.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4170d26..9fd5f66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ Every user-facing change should have an entry in this changelog. Please respect ## Unreleased +## v13.3.0 (2022-06-03) + - [Security] Apply logout redirect url security fix. (by @regisb) - [Feature] Make it possible to force the rendering of a given template, even when the template path matches an ignore pattern. (by @regisb) - 💥[Fix] Get rid of the `tutor config render` command, which is useless now that themes can be implemented as plugins. (by @regisb) diff --git a/tutor/__about__.py b/tutor/__about__.py index 36f9d66..99609b3 100644 --- a/tutor/__about__.py +++ b/tutor/__about__.py @@ -2,7 +2,7 @@ import os # Increment this version number to trigger a new release. See # docs/tutor.html#versioning for information on the versioning scheme. -__version__ = "13.2.3" +__version__ = "13.3.0" # The version suffix will be appended to the actual version, separated by a # dash. Use this suffix to differentiate between the actual released version and From 322a9e6b48d1fbd777211464eb6c5dbeb0ebc65d Mon Sep 17 00:00:00 2001 From: Crist Ye Date: Mon, 23 May 2022 22:46:12 +0800 Subject: [PATCH 3/4] docs: complete uninstalling of tutor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I noticed `pip uninstall -y tutor` will not uninstall the plugins, so I made this PR. I know it's ugly, but I don't find any other way of doing it. Let me know if there are better choices 😊 --- docs/install.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/install.rst b/docs/install.rst index f51e417..01253ff 100644 --- a/docs/install.rst +++ b/docs/install.rst @@ -167,3 +167,9 @@ Finally, uninstall Tutor itself:: # If you downloaded the tutor binary sudo rm /usr/local/bin/tutor + + # Optionally, you may want to remove Tutor plugins installed. + # You can get a list of the installed plugins: + pip freeze | grep tutor + # You can then remove them using the following command: + pip uninstall From f6b78265200a3d3ca42062ab3051841fe5410809 Mon Sep 17 00:00:00 2001 From: Alejandro Cardenas Date: Fri, 3 Jun 2022 15:15:51 -0500 Subject: [PATCH 4/4] fix: change studio url in IDA_LOGOUT_URI_LIST fix: remove FRONTEND_LOGOUT_URL to use the default docs: update CHANGELOG --- CHANGELOG.md | 2 ++ tutor/templates/apps/openedx/settings/lms/development.py | 2 +- tutor/templates/apps/openedx/settings/lms/production.py | 2 +- tutor/templates/apps/openedx/settings/partials/common_cms.py | 1 - 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fd5f66..95e033a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ Every user-facing change should have an entry in this changelog. Please respect ## Unreleased +- [Fix] Fix studio logout issue. (by @Alec4r) [PR #680](https://github.com/overhangio/tutor/pull/680) + ## v13.3.0 (2022-06-03) - [Security] Apply logout redirect url security fix. (by @regisb) diff --git a/tutor/templates/apps/openedx/settings/lms/development.py b/tutor/templates/apps/openedx/settings/lms/development.py index 4e0cb92..e30aabb 100644 --- a/tutor/templates/apps/openedx/settings/lms/development.py +++ b/tutor/templates/apps/openedx/settings/lms/development.py @@ -22,7 +22,7 @@ CSRF_COOKIE_SECURE = False SESSION_COOKIE_SAMESITE = "Lax" # CMS authentication -IDA_LOGOUT_URI_LIST.append("http://{{ CMS_HOST }}:8001/complete/logout") +IDA_LOGOUT_URI_LIST.append("http://{{ CMS_HOST }}:8001/logout/") FEATURES['ENABLE_COURSEWARE_MICROFRONTEND'] = False diff --git a/tutor/templates/apps/openedx/settings/lms/production.py b/tutor/templates/apps/openedx/settings/lms/production.py index 6ec8c3c..b859b5f 100644 --- a/tutor/templates/apps/openedx/settings/lms/production.py +++ b/tutor/templates/apps/openedx/settings/lms/production.py @@ -24,7 +24,7 @@ SESSION_COOKIE_SAMESITE = "Lax" {% endif %} # CMS authentication -IDA_LOGOUT_URI_LIST.append("{% if ENABLE_HTTPS %}https{% else %}http{% endif %}://{{ CMS_HOST }}/complete/logout") +IDA_LOGOUT_URI_LIST.append("{% if ENABLE_HTTPS %}https{% else %}http{% endif %}://{{ CMS_HOST }}/logout/") # Required to display all courses on start page SEARCH_SKIP_ENROLLMENT_START_DATE_FILTERING = True diff --git a/tutor/templates/apps/openedx/settings/partials/common_cms.py b/tutor/templates/apps/openedx/settings/partials/common_cms.py index 945052f..d609345 100644 --- a/tutor/templates/apps/openedx/settings/partials/common_cms.py +++ b/tutor/templates/apps/openedx/settings/partials/common_cms.py @@ -13,7 +13,6 @@ SESSION_COOKIE_NAME = "studio_session_id" MAX_ASSET_UPLOAD_FILE_SIZE_IN_MB = 100 FRONTEND_LOGIN_URL = LMS_ROOT_URL + '/login' -FRONTEND_LOGOUT_URL = LMS_ROOT_URL + '/logout' FRONTEND_REGISTER_URL = LMS_ROOT_URL + '/register' # Create folders if necessary