[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-15-g4e1b447
Git repo owner
gitmaster at git.koha-community.org
Tue Jun 23 14:16:05 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.14.x has been updated
via 4e1b447b4cd9e4781b03fbf78fe027ca80580a33 (commit)
via 253b6f1f51cc73f36829658be5c8d905b2e36909 (commit)
via 656b2dc36c324b7368c4541ff6288c9451a774bb (commit)
via 2870086da0070dad38bdb4a22be9e07dd1c8c713 (commit)
from b9ebf70d9583d761d8db9eaf503ebe9498bc01e0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4e1b447b4cd9e4781b03fbf78fe027ca80580a33
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date: Tue Jun 23 14:09:06 2015 +0200
Bug 14408: Allow tmpl and empty in template paths
commit 253b6f1f51cc73f36829658be5c8d905b2e36909
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Mon Jun 22 10:24:51 2015 +0200
Bug 14408: Allow integers in template paths
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
(cherry picked from commit 64e47c63dc59669c3c651b93630c470e06107fd6)
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit beedae80631f0f34be341274ee63c6b0aeeb75d6)
Conflicts:
C4/Auth.pm
t/db_dependent/Auth.t
commit 656b2dc36c324b7368c4541ff6288c9451a774bb
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Fri Jun 19 10:25:30 2015 +0200
Bug 14408: Add tests to get_template_and_user
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
(cherry picked from commit 5dd7c8f0d5fae67ea6177fdbac77a04f70661864)
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit bb5f6b4bfa20800ab36fdf899838e8adb18089dd)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
Conflicts:
t/db_dependent/Auth.t
commit 2870086da0070dad38bdb4a22be9e07dd1c8c713
Author: Chris <chris at bigballofwax.co.nz>
Date: Mon Jun 22 05:23:52 2015 +0000
Bug 14408: Path Traversal error
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search
Are vulnerable
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
(cherry picked from commit 5a7f459290326e1cea8460bb0817492340dd4150)
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit 364de7531c7b0ac604d396e3af1c84f674e7221e)
Conflicts:
C4/Auth.pm
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 3 +++
t/db_dependent/Auth.t | 35 ++++++++++++++++++++++++++++++++++-
2 files changed, 37 insertions(+), 1 deletion(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list