[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-15-g4e1b447

Git repo owner gitmaster at git.koha-community.org
Tue Jun 23 14:16:05 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.14.x has been updated
       via  4e1b447b4cd9e4781b03fbf78fe027ca80580a33 (commit)
       via  253b6f1f51cc73f36829658be5c8d905b2e36909 (commit)
       via  656b2dc36c324b7368c4541ff6288c9451a774bb (commit)
       via  2870086da0070dad38bdb4a22be9e07dd1c8c713 (commit)
      from  b9ebf70d9583d761d8db9eaf503ebe9498bc01e0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4e1b447b4cd9e4781b03fbf78fe027ca80580a33
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Tue Jun 23 14:09:06 2015 +0200

    Bug 14408: Allow tmpl and empty in template paths

commit 253b6f1f51cc73f36829658be5c8d905b2e36909
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Mon Jun 22 10:24:51 2015 +0200

    Bug 14408: Allow integers in template paths
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
    (cherry picked from commit 64e47c63dc59669c3c651b93630c470e06107fd6)
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit beedae80631f0f34be341274ee63c6b0aeeb75d6)
    
    Conflicts:
    	C4/Auth.pm
    	t/db_dependent/Auth.t

commit 656b2dc36c324b7368c4541ff6288c9451a774bb
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Fri Jun 19 10:25:30 2015 +0200

    Bug 14408: Add tests to get_template_and_user
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
    (cherry picked from commit 5dd7c8f0d5fae67ea6177fdbac77a04f70661864)
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit bb5f6b4bfa20800ab36fdf899838e8adb18089dd)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    
    Conflicts:
    	t/db_dependent/Auth.t

commit 2870086da0070dad38bdb4a22be9e07dd1c8c713
Author: Chris <chris at bigballofwax.co.nz>
Date:   Mon Jun 22 05:23:52 2015 +0000

    Bug 14408: Path Traversal error
    
    Counter counter patch
    Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
    and not allowing ../etc
    
    Note the previous patch tries to protect against /etc/passwd
    but //etc/passwd is now vulnerable.  I do think a whitelist is safer than trying to do a blacklist
    
    /cgi-bin/koha/svc/virtualshelves/search
    /cgi-bin/koha/svc/members/search
    
    Are vulnerable
    
    To test:
    1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
      Notice you get a valid JSON response
    2/ Hit
    /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
      (You may have add more ..%2f or remove them to get the correct path)
      Notice you can see the contents of the /etc/passwd file
    3/ Hit
    /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
    4/ Apply patch
    5/ Hit the first url again, notice it still works
    6/ Hit the second url notice it now errors with a file not found
    7/ Hit the third url notice it now errors with a file not found
    
    Repeat for the other script also
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
    (cherry picked from commit 5a7f459290326e1cea8460bb0817492340dd4150)
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 364de7531c7b0ac604d396e3af1c84f674e7221e)
    
    Conflicts:
    	C4/Auth.pm

-----------------------------------------------------------------------

Summary of changes:
 C4/Auth.pm            |    3 +++
 t/db_dependent/Auth.t |   35 ++++++++++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list