[koha-commits] main Koha release repository branch 3.6.x updated. v3.06.09-49-gd695c0e
Git repo owner
gitmaster at git.koha-community.org
Mon Oct 22 22:49:57 CEST 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.6.x has been updated
via d695c0e9c9d555ebce3adb86154926e2c615f699 (commit)
via ab16ea5b02282d76b556b69dee00130a35484c07 (commit)
via 71f9e11cc46cd9b7eae8504da69f350acd1f766f (commit)
from 89e8607a7fa5154af9083d56556c4b95d7a2325b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d695c0e9c9d555ebce3adb86154926e2c615f699
Author: Chris Hall <chrish at catalyst.net.nz>
Date: Wed Oct 17 14:32:19 2012 +1300
bug 3652 fixing XSS vulnerabilities in opac-search
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit ab16ea5b02282d76b556b69dee00130a35484c07
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date: Mon Oct 15 11:58:30 2012 -0400
Bug 3652: close XSS vulnerabilities in opac-export
The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.
To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
(substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
the browser.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
commit 71f9e11cc46cd9b7eae8504da69f350acd1f766f
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date: Mon Oct 15 11:45:38 2012 -0400
Bug 3652: close XSS vulnerabilities on biblionumber and authid
Previously we did not sanitize biblionumber and authids passed in by
the user.
To test:
1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
valid biblionumber for the 2).
2) Notice the presence of "2hi" on this page, and also on the ISBD and
MARC views.
3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
(substituting a valid authid for the 2).
4) Notice the presence of "2bye" on this page.
3) Apply patch.
4) Notice that "2hi" and "2bye" strings are gone.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/modules/opac-results-grouped.tt | 2 +-
.../opac-tmpl/prog/en/modules/opac-results.tt | 2 +-
opac/opac-ISBDdetail.pl | 3 ++-
opac/opac-MARCdetail.pl | 3 ++-
opac/opac-authoritiesdetail.pl | 7 ++++++-
opac/opac-detail.pl | 1 +
opac/opac-export.pl | 11 ++++++++++-
opac/opac-showmarc.pl | 1 +
8 files changed, 24 insertions(+), 6 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list