[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-22-g9109515

Git repo owner gitmaster at git.koha-community.org
Tue Jun 23 14:44:40 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.14.x has been updated
       via  910951512bd240df36ab18f3eb083afe0d75dfaf (commit)
       via  9e704e2b289dc8a9e90108b2d2a5c9266c347171 (commit)
       via  94c70537c62e25ac0ed8a5cb71c10c3315653e2d (commit)
       via  735ec07ca761dced366adc2711fb266bbc150099 (commit)
       via  ebc7b2a033d7a80e09dbb0cb51c83029f505d3fc (commit)
       via  1c82ddcaad2197a372fcc021b18548a3801440ab (commit)
      from  533186576bf8885eda8b39cb61bb72388a4d9545 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 910951512bd240df36ab18f3eb083afe0d75dfaf
Author: Chris <chris at bigballofwax.co.nz>
Date:   Sun Jun 21 09:35:07 2015 +0000

    Bug 14423 : Multiple XSS bugs in suggestion.pl
    
    To test
    1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
    2/ Notice alert box(es)
    3/ Apply patch
    4/ Reload and notice alert is gone
    
    Repeat for
    collection_title
    copyrightdate
    isbn
    manageddate_from
    manageddate_to
    publishercode
    suggesteddate_from
    suggesteddate_to
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit a4310e870247cb57cb1cbca55fed749d63469dcf)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit 9e704e2b289dc8a9e90108b2d2a5c9266c347171
Author: Chris <chris at bigballofwax.co.nz>
Date:   Sun Jun 21 09:20:51 2015 +0000

    Bug 14423 : Multiple XSS vulnerabilities in serials-search
    
    To test
    
    1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
    2/ Notice alert boxes
    3/ Apply patch
    4/ Reload, notice fixed
    
    Repeat for
    callnumber_filter
    EAN_filter
    ISSN_filter
    publisher_filter
    title_filter
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit bab7a33c2d6b4774dd96af1d10f72620802e9b4e)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    
    Conflicts:
    	koha-tmpl/intranet-tmpl/prog/en/modules/serials/serials-search.tt

commit 94c70537c62e25ac0ed8a5cb71c10c3315653e2d
Author: Chris <chris at bigballofwax.co.nz>
Date:   Sun Jun 21 09:01:32 2015 +0000

    Bug 14423 : XSS bugs in catalogue search
    
    To test
    
    1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
    2/ Notice alert boxes
    3/ Apply patch
    4/ Reload url, no alerts
    5/ Check search still works
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 48af13bd1a0eff3162d5e8edb867a701e233e5da)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit 735ec07ca761dced366adc2711fb266bbc150099
Author: Chris <chris at bigballofwax.co.nz>
Date:   Sun Jun 21 08:33:13 2015 +0000

    Bug 14423 XSS bug in auth_subfields_structure
    
    1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
    2/ Notice a ton of alert boxes pop up
    3/ Apply patch
    4/ Reload url, no longer get any alerts
    5/ Test fuctionality still works
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit d35384c039b8db00659d1cd0ee08cfb50c45481e)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit ebc7b2a033d7a80e09dbb0cb51c83029f505d3fc
Author: Chris <chris at bigballofwax.co.nz>
Date:   Sun Jun 21 08:18:20 2015 +0000

    Bug 14423 : XSS bug in lateorders
    
    1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
    2/ Not you get an alert box
    3/ Apply patch notice it is fixed
    4/ Test functionality still works
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 66dc4a9e7d2f11b97f1a4b0f76b5c485c3873683)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit 1c82ddcaad2197a372fcc021b18548a3801440ab
Author: Chris <chris at bigballofwax.co.nz>
Date:   Sun Jun 21 08:10:20 2015 +0000

    Bug 14423 : XSS in authorities-home
    
    To test:
    1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
    2/ Notice you get 3 alert boxes
    3/ Apply patch
    4/ Hit the url again, no js
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit 4b5a87c7ec62cfb796ea7c24aec8a61039e25f5c)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 .../prog/en/includes/authorities-search.inc        |    6 ++---
 .../prog/en/modules/acqui/lateorders.tt            |    6 ++---
 .../en/modules/admin/auth_subfields_structure.tt   |   28 ++++++++++----------
 .../prog/en/modules/catalogue/results.tt           |    6 ++---
 .../prog/en/modules/serials/serials-search.tt      |   26 +++++++++---------
 .../prog/en/modules/suggestion/suggestion.tt       |   22 +++++++--------
 6 files changed, 47 insertions(+), 47 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list