Bug / feature trackers

In the process of using Mahara, you may come across unexpected behaviour, or maybe you'll think of a cool way in which Mahara could be made better! We keep track of these bugs and feature requests in trackers, so that they are in one place. If you think you have found a bug or want to request a new feature, we encourage you to use the trackers to report them.

Bug reports

The bug tracker lists all bugs reported for Mahara, and allows you to add a bug should you find one. When you report a bug, please include the following information:

  • The version of Mahara you are running, and the version of PHP Mahara is running on.
  • What database and version you are using (e.g. PostgreSQL 8.3 or MySQL 5.1)
  • If you are reporting a crash/nonrecoverable error, any errors in the server error log. This is the error log for the apache virtual host your Mahara is using. Typically this log will be in the directory /var/log/apache2 or similar.
    The error message will typically look like this:

    [Wed Aug 20 18:09:44 2008] [error] [WAR] 4c (lib/dml.php:428) Failed to get a recordset: postgres7 error: [-1: ERROR: column "id" does not exist]
    in EXECUTE("SELECT COUNT(*) FROM "group_member" WHERE "id" = ? AND "role" = ? ")
    [Wed Aug 20 18:09:44 2008] [error] [WAR] 4c (lib/dml.php:428) Command was: SELECT COUNT(*) FROM "group_member" WHERE "id" = ? AND "role" = ? and values was (,admin)
    [Wed Aug 20 18:09:44 2008] [error] Call stack (most recent first):
    [Wed Aug 20 18:09:44 2008] [error] * get_recordset_sql("SELECT COUNT(*) FROM "group_member" WHERE "id" = ...", array(size 2)) at .../mahara/htdocs/lib/dml.php:225
    [Wed Aug 20 18:09:44 2008] [error] * count_records_sql("SELECT COUNT(*) FROM "group_member" WHERE "id" = ...", array(size 2)) at .../mahara/htdocs/lib/dml.php:191
    [Wed Aug 20 18:09:44 2008] [error] * count_records("group_member", "id", object(stdClass), "role", "admin") at .../mahara/htdocs/lib/group.php:52
    [Wed Aug 20 18:09:44 2008] [error] * group_user_can_leave(1, 1) at ..../mahara/htdocs/group/changerole.php:115
    [Wed Aug 20 18:09:44 2008] [error]

Security issue reporting

We do not approve test accounts on mahara.org that are created for the purpose of finding security or other issues.

Please install a local copy of Mahara using the latest code from the Git repository on your own infrastructure to test the software. It is open source and you do not incur any fees for installing it.

For the Mahara team to investigate security reports, the following information is required from the reporter:

  • Description of the security issue including the possible impact if the issue is exploited;
  • The severity of the security issue. We recommend determining the CVSS vector string and score;
  • Full steps required to allow the project team to verify the security issue;
  • Information about how to exploit the security issue;
  • Where is the security issue? What hosts or web pages are affected?
  • Is the security issue in the Mahara application (which version?) or in the Mahara project infrastructure?

We also ask that you verify that security issues found by automated tools are not false positives. For example, reports of 'possible sensitive information in source code' are unlikely to apply to JavaScript files intentionally downloaded by a web browser and stored in our public source code repository.

Please note that the Mahara team can only request a CVE for security issues in the Mahara application itself. Also, the Mahara project is unable to request CWE numbers for security issues.

You can report security bugs in two different ways:

  1. In our bug tracker: If you think (or know) you have found a security bug, please make sure you click "This bug is a security vulnerability" under the "This bug contains information that is" on the bug tracker form.
  2. You can send and email to security@mahara.org.

You will receive a response from a Mahara team member acknowledging receipt of your email, typically within 1 or 2 New Zealand business days. If you do not receive a response, please do not assume we're ignoring you. It's quite possible your email didn't make it through a spam filter.

We appreciate your patience. Some bugs take time to correct and the process may involve a review of the codebase for similar problems. Please do not disclose the vulnerability to anyone before the publication of the official Mahara security advisory.

If you report a security vulnerability which was not yet known to the project team, you will be acknowledged on our site and also a resulting bug report. If appropriate, a CVE number is filed and you are credited with the discovery of the vulnerability. The Mahara project does not run a bug bounty and cannot compensate for time spent.

Feature Requests

The bug tracker is also the right place to place requests for new features for Mahara. Feel free to add a feature request, should you want some new functionality. Note that the Mahara partners are able to implement features for you, should you want them sooner!