[koha-commits] main Koha release repository branch master updated. v16.05.00-512-g23a4b31
Git repo owner
gitmaster at git.koha-community.org
Thu Aug 18 17:51:50 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 23a4b3163128592a464d910d94942087da7990f9 (commit)
via 0316fc730907c66cdab8e5ee5530a39dcbc4d6fd (commit)
via fcf38896bd738767c3a9c4c1e8909a199f480a30 (commit)
via 13a61279523b35370f7b3adeb0f47ad30bfa937d (commit)
from 84812129c979557cd2232c3a8b5b0f01c368a634 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 23a4b3163128592a464d910d94942087da7990f9
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Aug 12 09:15:01 2016 +0200
Bug 17097: [QA Follow-up] Exit after redirect
Adds one exit statement, and some whitespace.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Verified deleting a patron again.
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit 0316fc730907c66cdab8e5ee5530a39dcbc4d6fd
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Aug 10 12:18:04 2016 +0100
Bug 17097: here the var is 'member', not 'borrowernumber'
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit fcf38896bd738767c3a9c4c1e8909a199f480a30
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 9 22:29:25 2016 +0100
Bug 17097: Fix CSRF in deletemem.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can delete patrons details.
/members/deletemem.pl?member=42
Test plan:
0/ Do not apply any patches
1/ Adapt and hit the url above
=> The patron will be deleted without confirmation
2/ Apply first patch
3/ Hit the url
=> you will get a confirmation page
4/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> The patron will be deleted without confirmation
5/ Apply the second patch (this one)
6/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> you will get a crash "Wrong CSRF token" (no need to stylish)
7/ Delete a patron from the detail page and confirm the deletion
=> you will be redirected to the patron module home page and the patron
has been deleted
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit 13a61279523b35370f7b3adeb0f47ad30bfa937d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 9 22:18:14 2016 +0100
Bug 17097: Add a confirmation page when deleting a patron
It won't hurt to have a confirmation page when deleting a patron.
Moreover it's the more easy way to protect against CSRF attacks :)
Test plan:
Make sure you get a confirmation page when deleting a patron
Confirm that approving or denying the confirmation work as expected
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/includes/members-toolbar.inc | 10 +----
.../prog/en/modules/members/deletemem.tt | 15 ++++++++
members/deletemem.pl | 40 ++++++++++++++------
3 files changed, 45 insertions(+), 20 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list