[koha-commits] main Koha release repository branch 3.6.x updated. v3.06.09-49-gd695c0e

Git repo owner gitmaster at git.koha-community.org
Mon Oct 22 22:49:57 CEST 2012 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.6.x has been updated
       via  d695c0e9c9d555ebce3adb86154926e2c615f699 (commit)
       via  ab16ea5b02282d76b556b69dee00130a35484c07 (commit)
       via  71f9e11cc46cd9b7eae8504da69f350acd1f766f (commit)
      from  89e8607a7fa5154af9083d56556c4b95d7a2325b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d695c0e9c9d555ebce3adb86154926e2c615f699
Author: Chris Hall <chrish at catalyst.net.nz>
Date:   Wed Oct 17 14:32:19 2012 +1300

    bug 3652 fixing XSS vulnerabilities in opac-search
    
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit ab16ea5b02282d76b556b69dee00130a35484c07
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date:   Mon Oct 15 11:58:30 2012 -0400

    Bug 3652: close XSS vulnerabilities in opac-export
    
    The opac-export.pl script had a number of XSS vulnerabilities relating
    to its error handling.
    
    To test:
    1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
       (substituting a valid biblionumber for the '2')
    2) Notice that "evil" is rendered as an h2 heading.
    3) Apply patch.
    4) Notice that you now see the h2 tags, and they are not rendered by
       the browser.
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit 71f9e11cc46cd9b7eae8504da69f350acd1f766f
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date:   Mon Oct 15 11:45:38 2012 -0400

    Bug 3652: close XSS vulnerabilities on biblionumber and authid
    
    Previously we did not sanitize biblionumber and authids passed in by
    the user.
    
    To test:
    1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
       valid biblionumber for the 2).
    2) Notice the presence of "2hi" on this page, and also on the ISBD and
       MARC views.
    3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
       (substituting a valid authid for the 2).
    4) Notice the presence of "2bye" on this page.
    3) Apply patch.
    4) Notice that "2hi" and "2bye" strings are gone.
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 .../prog/en/modules/opac-results-grouped.tt        |    2 +-
 .../opac-tmpl/prog/en/modules/opac-results.tt      |    2 +-
 opac/opac-ISBDdetail.pl                            |    3 ++-
 opac/opac-MARCdetail.pl                            |    3 ++-
 opac/opac-authoritiesdetail.pl                     |    7 ++++++-
 opac/opac-detail.pl                                |    1 +
 opac/opac-export.pl                                |   11 ++++++++++-
 opac/opac-showmarc.pl                              |    1 +
 8 files changed, 24 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list