[koha-commits] main Koha release repository branch 3.16.x updated. v3.16.06-90-g82e3bc7

Git repo owner gitmaster at git.koha-community.org
Fri Jan 23 07:30:08 CET 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.16.x has been updated
       via  82e3bc7e21995172465c0482ba9af9a99cef5a78 (commit)
       via  0718ced5e452a3d295597d1b5ef976a6772610eb (commit)
       via  20dd347c4866226e29c4bbeeebf66a33f347302a (commit)
       via  db9a69aa7f25dc929f5f7dc237247a0dbfb517ce (commit)
      from  1d45527578ddf7b21da64e9c0bcd73383a29f042 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 82e3bc7e21995172465c0482ba9af9a99cef5a78
Author: Chris <chris at bigballofwax.co.nz>
Date:   Mon Jan 5 06:37:51 2015 +0000

    Bug 13510 : Fixing the third XSS issue
    
    To test
    
    1/ Make sure you have some items in your database, that have values in items.issue
    If nessecary do something like
    
    UPDATE items SET issues = 10 WHERE itemnumber=somenumber
    
    2/ Hit a url like http://localhost:8080/cgi-bin/koha/opac-topissues.pl?do_it=1&timeLimit=3%3Cscript%3Eprompt%28924513%29%3C/script%3E
    
    3/ Notice you will get a prompt
    4/ Apply patch
    5/ Test again
    
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>

commit 0718ced5e452a3d295597d1b5ef976a6772610eb
Author: Liz <wizzyrea at gmail.com>
Date:   Mon Jan 5 02:32:32 2015 +0000

    Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves
    
    A specially crafted url causes XSS in Koha
    
    To test:
    
    cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E
    
    cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves
    
    These should cause a popup without the patch. With the patch, no popup.
    
    You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
    have permission to view them.
    
    Signed-off-by: Chris <chris at bigballofwax.co.nz>
    
    Fixes the two listed problems
    
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    Confirmed patch fixes the problem.
    
    Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 20dd347c4866226e29c4bbeeebf66a33f347302a
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date:   Fri Jan 23 08:43:14 2015 +1300

    Bug 13609: Patch for 3.16.x and 3.14.x (3.16.x needs both, 3.14.x just this)
    
    To Test:
    
    - Use an installation a reasonable amount of authorities, so that you
      can have a search result list with more than one page
    - Activate OpacAuthorities
    - Create an OPAC link like shown below, verify that an alert is shown
    - Apply patch
    - Refresh the page and no alert should appear
    - Verify the paging still works correctly for 'numbers' and 'arrows'
    
    URL: .../cgi-bin/koha/opac-authorities-home.pl?and_or=and&marclist=match&op=do_search&operator=contains&orderby=HeadingAsc2"><script>prompt(987898)</script>
    
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit db9a69aa7f25dc929f5f7dc237247a0dbfb517ce
Author: Katrin Fischer <katrin.fischer at bsz-bw.de>
Date:   Thu Jan 22 14:41:09 2015 +0100

    Bug 13609: Cross Site Scripting problem in authority search result list paging
    
    To test:
    - Use an installation a reasonable amount of authorities, so that you can
      have a search result list with more than one page
    - Activate OpacAuthorities
    - Create an OPAC link like shown below, verify that an alert is shown
    - Apply patch
    - Refresh the page and no alert should appear
    - Verify the paging still works correctly for 'numbers' and 'arrows'
    
    URL:
    .../cgi-bin/koha/opac-authorities-home.pl?and_or=and&marclist=match&op=do_search&operator=contains&orderby=HeadingAsc2"><script>prompt(987898)</script>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at biblibre.com>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at gmail.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

-----------------------------------------------------------------------

Summary of changes:
 .../en/modules/opac-authoritiessearchresultlist.tt |    6 +--
 .../bootstrap/en/modules/opac-downloadshelf.tt     |    4 +-
 .../opac-tmpl/bootstrap/en/modules/opac-shelves.tt |   46 ++++++++++----------
 .../bootstrap/en/modules/opac-topissues.tt         |    2 +-
 .../en/modules/opac-authoritiessearchresultlist.tt |    6 +--
 5 files changed, 32 insertions(+), 32 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list