[Bug 10657] New: placeholder bug -- Galen will be filling this in shortly
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Bug ID: 10657 Summary: placeholder bug -- Galen will be filling this in shortly Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: gmcharlt@gmail.com Reporter: gmcharlt@gmail.com QA Contact: testopia@bugs.koha-community.org placeholder -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |robin@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Patch complexity|--- |Small patch Severity|enhancement |blocker --- Comment #1 from Galen Charlton <gmcharlt@gmail.com> --- When EnableOpacSearchHistory system preference is enabled, Koha stores recent search history for anonymous OPAC sessions in a cookie called KohaOpacRecentSearches. In particular, it used to use the Storable Perl module to serialize the array of hashrefs representing the recent searches. However, the documentation for Storable strongly recommends [1] that data to be deserialized *not* come from untrusted sources -- and cookies cannot be considered trustworthy, as most web browsers (to say nothing of curl) allow the user to modify them. There is a theoretical possibility that a modification to the KohaOpacRecentSearches cookie could result in the execution of unauthorized code with the privileges of the Apache backend process. The 29 July 2013 security update resolves the security issuing by replacing use of the Storable module with the JSON, which doesn't by default serialize blessed references and does not attempt to deserialize and execute coderefs. The payload of the cookie is checked for JSON-correctness and is ignored if it doesn't contain a valid (double-URI-encoded) JSON object. In particularly, any old Storable-based cookies are silently ignored. [1] http://perldoc.perl.org/Storable.html#SECURITY-WARNING -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|placeholder bug -- Galen |use of Storable for OPAC |will be filling this in |search history cookie |shortly |dangerous -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 --- Comment #2 from Galen Charlton <gmcharlt@gmail.com> --- Fix released: http://koha-community.org/security-release-july-2013/ -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |10338 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org