[koha-commits] main Koha release repository branch, 3.2.x, updated. v3.02.03-82-gbc60c23

Git repo owner gitmaster at git.koha-community.org
Thu Feb 24 20:27:06 CET 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.2.x has been updated
       via  bc60c233601e34a75545ac5767a6a486d8c2c348 (commit)
       via  348546aef192beb8aea09dd7bda60debfe7e1b5f (commit)
       via  49f8964bb29a380fae393d2946dedb567e482802 (commit)
       via  44038d38fd1e72d0fa82e4a135ea58b2028832fa (commit)
       via  799509d90b08a95d0f24293b006f05a658cb4ade (commit)
      from  5294c412c8af4cf52878071076a0b9a54e118bea (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit bc60c233601e34a75545ac5767a6a486d8c2c348
Author: Chris Nighswonger <cnighswonger at foundations.edu>
Date:   Thu Feb 24 09:57:11 2011 -0500

    Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks
    
    This patch addresses both security issues mentioned in the summary of the report
    submitted by Frère Sébastien Marie included below.
    
    ---------------------------
    The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
    The argument $authid is included directly (not via statement) in the SQL.
    
    For the exploit of this problem, you can use 'authorities/authorities-home.pl'
    with authid on the URL and op=delete (something like
    "authorities/authorities-home.pl?op=delete&authid=xxx").
    
    This should successfully call DelAuthority, without authentification...
    (DelAuthority is call BEFORE get_template_and_user, so before authentification
    [This should be an issue also...]).
    
    Please note that the problem isn't only that anyone can delete an authority of
    this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
    will be like: "delete from auth_header where authid=1 or 1=1") you delete all
    authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
    where authid=1;delete from xxx" and so delete what you want...
    
    SQL-INJECTION is very permissive: you can redirect the output in a file (with
    some MySQL function), so write thea file of you choose in the server, in order
    to create a backdoor, and compromise the server.
    
    Signed-off-by: Frère Sébastien Marie <semarie-koha at latrappe.fr>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit b0f60221f41041665c4fecacce35654fc8d45a01)
    
    Signed-off-by: Chris Nighswonger <chris.nighswonger at gmail.com>

commit 348546aef192beb8aea09dd7bda60debfe7e1b5f
Author: marcel at libdevelop.rijksmuseum.nl <marcel at libdevelop.rijksmuseum.nl>
Date:   Mon Feb 21 15:40:44 2011 +0100

    2742: Wrong language name in the preferences
    
    Follow up patch. Improvement suggested by Belgian translators (Hans Supply).
    
    Signed-off-by: Frédéric Demians <f.demians at tamil.fr>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit fc1b7201c55d00d6c43a0ecc04bee09cd0e0bde7)
    
    Signed-off-by: Chris Nighswonger <chris.nighswonger at gmail.com>

commit 49f8964bb29a380fae393d2946dedb567e482802
Author: Owen Leonard <oleonard at myacpl.org>
Date:   Fri Feb 11 22:22:16 2011 -0500

    Partial fix for Bug 5745, Overdues with fines report not showing titles
    
    - Adding title, subtitle, and author to output
    - Reworking display of shelving location selection
    
    Patch does not address the contents of 'overdue status' and 'notified by'
    
    Signed-off-by: Nicole Engard <nengard at bywatersolutions.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 50c0ae09a12e10b851022d6b3fe18aa0b345a98b)
    
    Signed-off-by: Chris Nighswonger <chris.nighswonger at gmail.com>

commit 44038d38fd1e72d0fa82e4a135ea58b2028832fa
Author: Paul Poulain <paul.poulain at biblibre.com>
Date:   Tue Feb 15 13:52:35 2011 +1300

    Bug 5759 : displaying 2nd email if there is one on print template for borrowers
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 2f9bebf802530ad1a96fe5bb5ced1b8ef02ba46f)
    
    Signed-off-by: Chris Nighswonger <chris.nighswonger at gmail.com>

commit 799509d90b08a95d0f24293b006f05a658cb4ade
Author: Owen Leonard <oleonard at myacpl.org>
Date:   Thu Feb 17 13:32:32 2011 -0500

    Fix for Bug 5769 - notice tab disappearing on edit patron
    
    Signed-off-by: Nicole Engard <nengard at bywatersolutions.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit ed2b583eb10cb81c26c43714572bbb2c85d5797c)
    
    Signed-off-by: Chris Nighswonger <chris.nighswonger at gmail.com>

-----------------------------------------------------------------------

Summary of changes:
 C4/AuthoritiesMarc.pm                              |    4 +-
 C4/Overdues.pm                                     |    2 +
 authorities/authorities-home.pl                    |    5 +---
 circ/branchoverdues.pl                             |    9 ++++++-
 .../prog/en/includes/members-menu.inc              |   10 +++---
 koha-tmpl/intranet-tmpl/prog/en/modules/about.tmpl |    4 +-
 .../prog/en/modules/circ/branchoverdues.tmpl       |   27 +++++--------------
 .../prog/en/modules/members/moremember-print.tmpl  |    3 +-
 8 files changed, 29 insertions(+), 35 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list