[koha-commits] main Koha release repository branch 3.8.x updated. v3.08.05-49-g1f2b8c7
Git repo owner
gitmaster at git.koha-community.org
Mon Oct 22 06:00:15 CEST 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.8.x has been updated
via 1f2b8c706a087ced6482ccd2ae4485d0a16bd24f (commit)
via c69a364e4b1ceb34ba837bc4441a95db89491e7c (commit)
via 94d3e6e713a6550004ead6f95953586ab814f982 (commit)
from e7b91d6a823401f73d4ef69ae80e045031995dfc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1f2b8c706a087ced6482ccd2ae4485d0a16bd24f
Author: Chris Hall <chrish at catalyst.net.nz>
Date: Wed Oct 17 14:32:19 2012 +1300
bug 3652 fixing XSS vulnerabilities in opac-search
Signed-off-by: Mason James <mtj at kohaaloha.com>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
commit c69a364e4b1ceb34ba837bc4441a95db89491e7c
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date: Mon Oct 15 11:58:30 2012 -0400
Bug 3652: close XSS vulnerabilities in opac-export
The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.
To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
(substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
the browser.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
commit 94d3e6e713a6550004ead6f95953586ab814f982
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date: Mon Oct 15 11:45:38 2012 -0400
Bug 3652: close XSS vulnerabilities on biblionumber and authid
Previously we did not sanitize biblionumber and authids passed in by
the user.
To test:
1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
valid biblionumber for the 2).
2) Notice the presence of "2hi" on this page, and also on the ISBD and
MARC views.
3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
(substituting a valid authid for the 2).
4) Notice the presence of "2bye" on this page.
3) Apply patch.
4) Notice that "2hi" and "2bye" strings are gone.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/modules/opac-results-grouped.tt | 2 +-
.../opac-tmpl/prog/en/modules/opac-results.tt | 2 +-
opac/opac-ISBDdetail.pl | 3 ++-
opac/opac-MARCdetail.pl | 3 ++-
opac/opac-authoritiesdetail.pl | 2 +-
opac/opac-detail.pl | 1 +
opac/opac-export.pl | 11 ++++++++++-
opac/opac-showmarc.pl | 1 +
8 files changed, 19 insertions(+), 6 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list