[koha-commits] main Koha release repository branch 3.18.x updated. v3.18.02-97-gb8573a8

Git repo owner gitmaster at git.koha-community.org
Thu Jan 22 20:51:04 CET 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.18.x has been updated
       via  b8573a838bd0c3b7327d08c164f8ac8337109762 (commit)
       via  c9500b2b08dfabba112bd374d6889fd25cbfa142 (commit)
       via  d6e5102cd739783e77639b7360bf12a1f0f11399 (commit)
       via  6c67bbb100152a0452041786d3a10dd2051634d3 (commit)
       via  27d410eb142a868aa25c6845272a7e8b51276f3b (commit)
      from  1cf3dc6e8e296ad9d5af5f270c1afed74b68a02c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b8573a838bd0c3b7327d08c164f8ac8337109762
Author: Katrin Fischer <katrin.fischer at bsz-bw.de>
Date:   Thu Jan 22 14:41:09 2015 +0100

    Bug 13609: Cross Site Scripting problem in authority search result list paging
    
    To test:
    - Use an installation a reasonable amount of authorities, so that you can
      have a search result list with more than one page
    - Activate OpacAuthorities
    - Create an OPAC link like shown below, verify that an alert is shown
    - Apply patch
    - Refresh the page and no alert should appear
    - Verify the paging still works correctly for 'numbers' and 'arrows'
    
    URL:
    .../cgi-bin/koha/opac-authorities-home.pl?and_or=and&marclist=match&op=do_search&operator=contains&orderby=HeadingAsc2"><script>prompt(987898)</script>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at biblibre.com>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at gmail.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit c9500b2b08dfabba112bd374d6889fd25cbfa142
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date:   Thu Jan 22 20:13:51 2015 +1300

    Release notes

commit d6e5102cd739783e77639b7360bf12a1f0f11399
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date:   Thu Jan 22 20:07:08 2015 +1300

    Bumping version number for 3.18.3 release

commit 6c67bbb100152a0452041786d3a10dd2051634d3
Author: Chris <chris at bigballofwax.co.nz>
Date:   Mon Jan 5 06:37:51 2015 +0000

    Bug 13510 : Fixing the third XSS issue
    
    To test
    
    1/ Make sure you have some items in your database, that have values in items.issue
    If nessecary do something like
    
    UPDATE items SET issues = 10 WHERE itemnumber=somenumber
    
    2/ Hit a url like http://localhost:8080/cgi-bin/koha/opac-topissues.pl?do_it=1&timeLimit=3%3Cscript%3Eprompt%28924513%29%3C/script%3E
    
    3/ Notice you will get a prompt
    4/ Apply patch
    5/ Test again
    
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit 27d410eb142a868aa25c6845272a7e8b51276f3b
Author: Liz <wizzyrea at gmail.com>
Date:   Mon Jan 5 02:32:32 2015 +0000

    Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves
    
    A specially crafted url causes XSS in Koha
    
    To test:
    
    cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E
    
    cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves
    
    These should cause a popup without the patch. With the patch, no popup.
    
    You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
    have permission to view them.
    
    Signed-off-by: Chris <chris at bigballofwax.co.nz>
    
    Fixes the two listed problems
    
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    Confirmed patch fixes the problem.
    
    Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 installer/data/mysql/updatedatabase.pl             |    7 +
 .../en/modules/opac-authoritiessearchresultlist.tt |    6 +-
 .../bootstrap/en/modules/opac-downloadshelf.tt     |    4 +-
 .../opac-tmpl/bootstrap/en/modules/opac-shelves.tt |   46 +--
 .../bootstrap/en/modules/opac-topissues.tt         |    2 +-
 kohaversion.pl                                     |    2 +-
 misc/release_notes/release_notes_3_18_3.txt        |  401 ++++++++++++++++++++
 7 files changed, 438 insertions(+), 30 deletions(-)
 create mode 100644 misc/release_notes/release_notes_3_18_3.txt


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list