[koha-commits] main Koha release repository branch new/bug_3652 updated. v3.08.00-1058-gd2de76d
Git repo owner
gitmaster at git.koha-community.org
Wed Oct 24 15:40:16 CEST 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, new/bug_3652 has been updated
via d2de76d60d7369e26e8c3f806b9bdcdb6eeaa4fd (commit)
via 35b6a5ea116f8cafc92c31b0879dccb1cbe23a6b (commit)
via 70f2b4bd0aeb1c09e988595df7da27279659f56d (commit)
via 3739e6bd6722af35a9f3f55af0e889036e56010e (commit)
from ac66d224add7324d08b0bdf86d1574e401280e41 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d2de76d60d7369e26e8c3f806b9bdcdb6eeaa4fd
Author: Chris Hall <chrish at catalyst.net.nz>
Date: Wed Oct 17 14:32:19 2012 +1300
bug 3652 fixing XSS vulnerabilities in opac-search
Signed-off-by: Mason James <mtj at kohaaloha.com>
Signed-off-by: Paul Poulain <paul.poulain at biblibre.com>
commit 35b6a5ea116f8cafc92c31b0879dccb1cbe23a6b
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date: Mon Oct 15 11:58:30 2012 -0400
Bug 3652: close XSS vulnerabilities in opac-export
The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.
To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
(substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
the browser.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain at biblibre.com>
commit 70f2b4bd0aeb1c09e988595df7da27279659f56d
Author: Paul Poulain <paul.poulain at biblibre.com>
Date: Wed Oct 24 15:30:24 2012 +0200
Bug 3652 follow-up reverting call to param('bib')
could probably also be removed in opac-detail.pl, but it was still here before Jared patch.
So, in case something is still using bib I haven't removed this call
commit 3739e6bd6722af35a9f3f55af0e889036e56010e
Author: Jared Camins-Esakov <jcamins at cpbibliography.com>
Date: Mon Oct 15 11:45:38 2012 -0400
Bug 3652: close XSS vulnerabilities on biblionumber and authid
Previously we did not sanitize biblionumber and authids passed in by
the user.
To test:
1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
valid biblionumber for the 2).
2) Notice the presence of "2hi" on this page, and also on the ISBD and
MARC views.
3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
(substituting a valid authid for the 2).
4) Notice the presence of "2bye" on this page.
3) Apply patch.
4) Notice that "2hi" and "2bye" strings are gone.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain at biblibre.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt | 2 +-
.../prog/en/modules/opac-results-grouped.tt | 2 +-
.../opac-tmpl/prog/en/modules/opac-results.tt | 2 +-
opac/opac-ISBDdetail.pl | 1 +
opac/opac-MARCdetail.pl | 1 +
opac/opac-authoritiesdetail.pl | 1 +
opac/opac-detail.pl | 1 +
opac/opac-export.pl | 11 ++++++++++-
opac/opac-showmarc.pl | 1 +
9 files changed, 18 insertions(+), 4 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list