[Bug 6629] New: [security] insecure use of Cookie for language selection
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Bug #: 6629 Summary: [security] insecure use of Cookie for language selection Classification: Unclassified Change sponsored?: --- Product: Koha Version: unspecified Platform: All OS/Version: All Status: NEW Severity: critical Priority: P5 Component: Architecture, internals, and plumbing AssignedTo: gmcharlt@gmail.com ReportedBy: semarie-koha@latrappe.fr QAContact: koha-bugs@lists.koha-community.org CWE-73: External Control of File Name or Path (see http://cwe.mitre.org/data/definitions/73.html) In C4/Templates.pm, in the function themelanguage, the user language is obtain from a cookie 'KohaOpacLanguage', and use 'as-it' in the path's construction for the template filename. In the next piece of code, $la is 'KohaOpacLanguage' cookie value:
# searches through the themes and languages. First template it find it returns. # Priority is for getting the theme right. THEME: foreach my $th (@themes) { foreach my $la (@languages) { if ( -e "$htdocs/$th/$la/modules/$tmpl" ) { $theme = $th; $lang = $la; last THEME; } last unless $la =~ /[-_]/; } }
In opac/opac-main.pl, same: if cookie 'KohaOpacLanguage' exists, it used. Here, the page also used HTTP_ACCEPT_LANGUAGE sanitized with regex. In koha/installer/install.pl and koha/installer/InstallAuth.pm the cookie is also used (but need verification if it used in manner that permit exploit). As the cookie could be forged (user input), and contains any characters, it could embed '../' for path-traversable. The exploitation of this problem is mitigated by the fact that the perl function '-e' seems to be resultant to '\0' inclusion (in order to strip all strings after the variable). Suggestions: - A regex sanitization should be used, or, should used C4::Output::getlanguagecookie function, which take only the first two characters (I will prefer a regex like /^[a-zA-Z]*$/ ) - An unified method should be used: a function somewhere (C4:Templates ?) that return a list of possible languages: - first element: cookie value sanitized (if exist) - next sanitized list of ENV{HTTP_ACCEPT_LANGUAGE} - next 'en' -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Frère Sébastien Marie <semarie-koha@latrappe.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - low |P1 - high --- Comment #1 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-25 05:34:31 UTC --- An exploit have been published here: http://1337day.com/exploits/17246 It seems it exploit this vulnerability: so I increase the priority. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #2 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-25 05:35:18 UTC --- *** Bug 7265 has been marked as a duplicate of this bug. *** -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #3 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-25 05:51:57 UTC --- Created attachment 6398 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6398 quick patch it is quick patch (not git, sorry: no time now) -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6398|0 |1 is obsolete| | --- Comment #4 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 06:15:59 UTC --- Created attachment 6399 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6399 Bug 6629 : Sanitizing input from language cookie I dont think we can use only 2 digits, some languages is much longer zh-hans-TW for example But the regex should stop it bening able handle nasty chars, whitelisting safe ones instead -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P1 - high |PATCH-Sent CC| |chris@bigballofwax.co.nz Patch Status|--- |Needs Signoff -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6399|0 |1 is obsolete| | --- Comment #5 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 06:33:54 UTC --- Created attachment 6400 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6400 Bug 6629 : Sanitizing input from language cookie I dont think we can use only 2 digits, some languages is much longer zh-hans-TW for example But the regex should stop it bening able handle nasty chars, whitelisting safe ones instead -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6400|0 |1 is obsolete| | --- Comment #6 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 06:38:49 UTC --- Created attachment 6401 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6401 Bug 6629 : Sanitizing input from language cookie I dont think we can use only 2 digits, some languages is much longer zh-hans-TW for example But the regex should stop it bening able handle nasty chars, whitelisting safe ones instead -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6401|0 |1 is obsolete| | --- Comment #7 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 06:42:00 UTC --- Created attachment 6402 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6402 Bug 6629 : Sanitizing input from language cookie I dont think we can use only 2 digits, some languages is much longer zh-hans-TW for example But the regex should stop it bening able handle nasty chars, whitelisting safe ones instead -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6402|0 |1 is obsolete| | --- Comment #8 from Katrin Fischer <katrin.fischer@bsz-bw.de> 2011-11-25 07:10:10 UTC --- Created attachment 6403 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6403 Bug 6629 : Sanitizing input from language cookie I dont think we can use only 2 digits, some languages is much longer zh-hans-TW for example But the regex should stop it bening able handle nasty chars, whitelisting safe ones instead Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> I checked the patch doesn't break language switching and language selection. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Patch Status|Needs Signoff |Signed Off -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #9 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-25 07:16:06 UTC --- about the patch (6403): - I think we should also remove (or sanitize) $ENV{ HTTP_ACCEPT_LANGUAGE }, as is it a user controlled string also. - the regexp is not accurate (I think): use s/[^a-zA-Z_-]*//g instead of s/[^a-zA-Z_-]*// -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #10 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-25 07:36:52 UTC --- In order to check the patch against the vulnerability, here a little poc using curl (a shell tool):
curl -v -b 'KohaOpacLanguage=../../../../../../../../etc/passwd%00' 'http://myopac.example.com/cgi-bin/koha/opac-main.pl'
A vulnerable result show the /etc/passwd file A non vulnerable result show 'opac-main' in the default Language (en). The test suppose a linux/BSD server. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #11 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 07:39:20 UTC --- Created attachment 6404 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6404 [3.4.x] Bug 6629 fix for vulnerability -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #12 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 07:41:51 UTC --- Yes the patch for master does sanitize HTTP_ACCEPT_LANGUAGE because the sanitize is done in getlanguagecookie, ill update the 3.4.x to do that also -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #13 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 07:44:12 UTC --- Created attachment 6405 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6405 [3.2.x] Bug 6629 vulnerability fix -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6404|0 |1 is obsolete| | --- Comment #14 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 07:50:12 UTC --- Created attachment 6406 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6406 [3.4.x] Bug 6629 fix for vulnerability -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #15 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 08:42:18 UTC --- It turns out, master is not vulnerable, nor is the 3.6.x branch, but the patch should be applied anyway. Its a more elegant solution to checking the cookie. But 3.2.x and 3.4.x are vulnerable -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |paul.poulain@biblibre.com Version|unspecified |rel_3_6 Patch Status|Signed Off |Patch Pushed --- Comment #16 from Paul Poulain <paul.poulain@biblibre.com> 2011-11-25 10:05:47 UTC --- QA comment: nothing to say. Critical security issue, dealing with it without any delay Patch pushed, please test & apply on 3.2/3.4 as well -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Fridolyn SOMERS <fridolyn.somers@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolyn.somers@gmail.com --- Comment #17 from Fridolyn SOMERS <fridolyn.somers@gmail.com> 2011-11-25 12:10:46 UTC --- (In reply to comment #9)
- the regexp is not accurate (I think): use s/[^a-zA-Z_-]*//g instead of s/[^a-zA-Z_-]*//
I agree : $lang =~ s/[^a-zA-Z_-]*//; It replaces only first occurence of pattern. So it will clean heading special characters but not within or after. Global matching : $lang =~ s/[^a-zA-Z_-]//g; There every special character is removed. Thanks for your work. Best regards. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #18 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 18:16:25 UTC --- The patch as its stands prevents file traversal, you could only read a file in the current dir with it, but yes you are right g is better. It turns out master and 3.6 are not vulnerable anyway, as if the value of $lang does not match a valid lanuage, it is made undef. So I will do new patches for 3.2.x and 3.4.x So to be clear on 3.4.6 and lower are vulnerable. 3.6.0 and master are not. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6406|0 |1 is obsolete| | --- Comment #19 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 18:18:47 UTC --- Created attachment 6411 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6411 [3.4.x] Bug 6629 fix for vulnerability -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6405|0 |1 is obsolete| | --- Comment #20 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 18:20:43 UTC --- Created attachment 6412 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6412 [3.2.x] Bug 6629 vulnerability fix -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |robin@catalyst.net.nz -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6403|0 |1 is obsolete| | --- Comment #21 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-27 08:19:43 UTC --- Created attachment 6422 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6422 Bug 6629 : Follow up to trap vuln in webinstaller and fixing the error -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch Status|Patch Pushed |Needs Signoff -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #22 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-27 08:26:35 UTC --- When I check versus git, the following patchs are applied: - master (not vulnerable) : patch applied - 3.6.x (not vulnerable) : patch not found - 3.4.x *vulnerable* : patch not found - 3.2.x *vulnerable* : patch not found Could you push patch for vulnerables versions too ? As an exploit was published, and the problem quickly corrected, it is not very good to have patch not pushed quickly too for vulnerable versions. Thanks -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6422|0 |1 is obsolete| | --- Comment #23 from Katrin Fischer <katrin.fischer@bsz-bw.de> 2011-11-27 08:27:05 UTC --- Created attachment 6423 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6423 Bug 6629 : Follow up to trap vuln in webinstaller and fixing the error Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Patch fixes problem occuring in web installer. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch Status|Needs Signoff |Signed Off -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6423|0 |1 is obsolete| | --- Comment #24 from Katrin Fischer <katrin.fischer@bsz-bw.de> 2011-11-27 08:28:25 UTC --- Created attachment 6424 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6424 [SIGNED-OFF] Bug 6629 : Follow up to trap vuln in webinstaller and fixing the error Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Patch fixes problem occuring in web installer. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #25 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-27 08:31:30 UTC --- Frère Sébastien Marie 3.2.x is end of life, so that patch won't be pushed. As soon as Chris Nighswonger is back I am sure he will push the 3.4.x one. And 3.4.7 will be released very soon including the fix. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #26 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-27 08:47:10 UTC --- In installer, there are another script that use cookie directly: installer/install.pl on line 268 and 231. On line 267-268:
my $langchoice = $query->param('fwklanguage'); $langchoice = $query->cookie('KohaOpacLanguage') unless ($langchoice);
(fwklanguage is also used without sanitization). On line 230-231, it is a duplicated code of previous, but I don't not if it is possible to exploit here (language not used for template inclusion). -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #27 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-27 08:55:16 UTC --- Havent been able to exploit it, but doesn't hurt to sanitise it anyway. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #28 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-27 08:59:02 UTC --- Created attachment 6427 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6427 Bug 6629 : Follow up, sanitising in a couple more places -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6427|0 |1 is obsolete| | --- Comment #29 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-27 09:01:26 UTC --- Created attachment 6428 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6428 Bug 6629 : Follow up, sanitising in a couple more places -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch Status|Signed Off |Needs Signoff -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6428|0 |1 is obsolete| | --- Comment #30 from Jared Camins-Esakov <jcamins@cpbibliography.com> 2011-11-27 15:06:44 UTC --- Created attachment 6432 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6432 Bug 6629 : Follow up, sanitising in a couple more places Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com> -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jcamins@cpbibliography.com Patch Status|Needs Signoff |Signed Off --- Comment #31 from Jared Camins-Esakov <jcamins@cpbibliography.com> 2011-11-27 15:08:32 UTC --- I can also confirm the patch fixing the error in the webinstaller works as advertised. I didn't manage to attach my sign off to the bug, but Katrin already did that so it doesn't matter. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch Status|Signed Off |Patch Pushed --- Comment #32 from Paul Poulain <paul.poulain@biblibre.com> 2011-11-28 08:47:17 UTC --- The two follow-up have been pushed on master (attachments 6624 and 6432) Please test again -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Chris Nighswonger <cnighswonger@foundations.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cnighswonger@foundations.ed | |u --- Comment #33 from Chris Nighswonger <cnighswonger@foundations.edu> 2011-12-04 02:39:08 UTC --- Patches also pushed to 3.2.x and 3.4.x and 3.6.x. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 Frère Sébastien Marie <semarie-koha@latrappe.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org