[koha-commits] main Koha release repository branch 3.8.x updated. v3.08.05-49-g1f2b8c7

Git repo owner gitmaster at git.koha-community.org
Mon Oct 22 06:00:15 CEST 2012


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.8.x has been updated
       via  1f2b8c706a087ced6482ccd2ae4485d0a16bd24f (commit)
       via  c69a364e4b1ceb34ba837bc4441a95db89491e7c (commit)
       via  94d3e6e713a6550004ead6f95953586ab814f982 (commit)
      from  e7b91d6a823401f73d4ef69ae80e045031995dfc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1f2b8c706a087ced6482ccd2ae4485d0a16bd24f
Author: Chris Hall <chrish at catalyst.net.nz>
Date:   Wed Oct 17 14:32:19 2012 +1300

    bug 3652 fixing XSS vulnerabilities in opac-search
    
    Signed-off-by: Mason James <mtj at kohaaloha.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit c69a364e4b1ceb34ba837bc4441a95db89491e7c
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date:   Mon Oct 15 11:58:30 2012 -0400

    Bug 3652: close XSS vulnerabilities in opac-export
    
    The opac-export.pl script had a number of XSS vulnerabilities relating
    to its error handling.
    
    To test:
    1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
       (substituting a valid biblionumber for the '2')
    2) Notice that "evil" is rendered as an h2 heading.
    3) Apply patch.
    4) Notice that you now see the h2 tags, and they are not rendered by
       the browser.
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit 94d3e6e713a6550004ead6f95953586ab814f982
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date:   Mon Oct 15 11:45:38 2012 -0400

    Bug 3652: close XSS vulnerabilities on biblionumber and authid
    
    Previously we did not sanitize biblionumber and authids passed in by
    the user.
    
    To test:
    1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
       valid biblionumber for the 2).
    2) Notice the presence of "2hi" on this page, and also on the ISBD and
       MARC views.
    3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
       (substituting a valid authid for the 2).
    4) Notice the presence of "2bye" on this page.
    3) Apply patch.
    4) Notice that "2hi" and "2bye" strings are gone.
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 .../prog/en/modules/opac-results-grouped.tt        |    2 +-
 .../opac-tmpl/prog/en/modules/opac-results.tt      |    2 +-
 opac/opac-ISBDdetail.pl                            |    3 ++-
 opac/opac-MARCdetail.pl                            |    3 ++-
 opac/opac-authoritiesdetail.pl                     |    2 +-
 opac/opac-detail.pl                                |    1 +
 opac/opac-export.pl                                |   11 ++++++++++-
 opac/opac-showmarc.pl                              |    1 +
 8 files changed, 19 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
main Koha release repository


More information about the koha-commits mailing list