[koha-commits] main Koha release repository branch 3.18.x updated. v3.18.02-97-gb8573a8
Git repo owner
gitmaster at git.koha-community.org
Thu Jan 22 20:51:04 CET 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.18.x has been updated
via b8573a838bd0c3b7327d08c164f8ac8337109762 (commit)
via c9500b2b08dfabba112bd374d6889fd25cbfa142 (commit)
via d6e5102cd739783e77639b7360bf12a1f0f11399 (commit)
via 6c67bbb100152a0452041786d3a10dd2051634d3 (commit)
via 27d410eb142a868aa25c6845272a7e8b51276f3b (commit)
from 1cf3dc6e8e296ad9d5af5f270c1afed74b68a02c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b8573a838bd0c3b7327d08c164f8ac8337109762
Author: Katrin Fischer <katrin.fischer at bsz-bw.de>
Date: Thu Jan 22 14:41:09 2015 +0100
Bug 13609: Cross Site Scripting problem in authority search result list paging
To test:
- Use an installation a reasonable amount of authorities, so that you can
have a search result list with more than one page
- Activate OpacAuthorities
- Create an OPAC link like shown below, verify that an alert is shown
- Apply patch
- Refresh the page and no alert should appear
- Verify the paging still works correctly for 'numbers' and 'arrows'
URL:
.../cgi-bin/koha/opac-authorities-home.pl?and_or=and&marclist=match&op=do_search&operator=contains&orderby=HeadingAsc2"><script>prompt(987898)</script>
Signed-off-by: Jonathan Druart <jonathan.druart at biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at gmail.com>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
commit c9500b2b08dfabba112bd374d6889fd25cbfa142
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Thu Jan 22 20:13:51 2015 +1300
Release notes
commit d6e5102cd739783e77639b7360bf12a1f0f11399
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Thu Jan 22 20:07:08 2015 +1300
Bumping version number for 3.18.3 release
commit 6c67bbb100152a0452041786d3a10dd2051634d3
Author: Chris <chris at bigballofwax.co.nz>
Date: Mon Jan 5 06:37:51 2015 +0000
Bug 13510 : Fixing the third XSS issue
To test
1/ Make sure you have some items in your database, that have values in items.issue
If nessecary do something like
UPDATE items SET issues = 10 WHERE itemnumber=somenumber
2/ Hit a url like http://localhost:8080/cgi-bin/koha/opac-topissues.pl?do_it=1&timeLimit=3%3Cscript%3Eprompt%28924513%29%3C/script%3E
3/ Notice you will get a prompt
4/ Apply patch
5/ Test again
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
commit 27d410eb142a868aa25c6845272a7e8b51276f3b
Author: Liz <wizzyrea at gmail.com>
Date: Mon Jan 5 02:32:32 2015 +0000
Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves
A specially crafted url causes XSS in Koha
To test:
cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E
cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves
These should cause a popup without the patch. With the patch, no popup.
You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.
Signed-off-by: Chris <chris at bigballofwax.co.nz>
Fixes the two listed problems
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Confirmed patch fixes the problem.
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
installer/data/mysql/updatedatabase.pl | 7 +
.../en/modules/opac-authoritiessearchresultlist.tt | 6 +-
.../bootstrap/en/modules/opac-downloadshelf.tt | 4 +-
.../opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 46 +--
.../bootstrap/en/modules/opac-topissues.tt | 2 +-
kohaversion.pl | 2 +-
misc/release_notes/release_notes_3_18_3.txt | 401 ++++++++++++++++++++
7 files changed, 438 insertions(+), 30 deletions(-)
create mode 100644 misc/release_notes/release_notes_3_18_3.txt
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list