[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-22-g9109515
Git repo owner
gitmaster at git.koha-community.org
Tue Jun 23 14:44:40 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.14.x has been updated
via 910951512bd240df36ab18f3eb083afe0d75dfaf (commit)
via 9e704e2b289dc8a9e90108b2d2a5c9266c347171 (commit)
via 94c70537c62e25ac0ed8a5cb71c10c3315653e2d (commit)
via 735ec07ca761dced366adc2711fb266bbc150099 (commit)
via ebc7b2a033d7a80e09dbb0cb51c83029f505d3fc (commit)
via 1c82ddcaad2197a372fcc021b18548a3801440ab (commit)
from 533186576bf8885eda8b39cb61bb72388a4d9545 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 910951512bd240df36ab18f3eb083afe0d75dfaf
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:35:07 2015 +0000
Bug 14423 : Multiple XSS bugs in suggestion.pl
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone
Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit a4310e870247cb57cb1cbca55fed749d63469dcf)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
commit 9e704e2b289dc8a9e90108b2d2a5c9266c347171
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:20:51 2015 +0000
Bug 14423 : Multiple XSS vulnerabilities in serials-search
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed
Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit bab7a33c2d6b4774dd96af1d10f72620802e9b4e)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
Conflicts:
koha-tmpl/intranet-tmpl/prog/en/modules/serials/serials-search.tt
commit 94c70537c62e25ac0ed8a5cb71c10c3315653e2d
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:01:32 2015 +0000
Bug 14423 : XSS bugs in catalogue search
To test
1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit 48af13bd1a0eff3162d5e8edb867a701e233e5da)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
commit 735ec07ca761dced366adc2711fb266bbc150099
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:33:13 2015 +0000
Bug 14423 XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit d35384c039b8db00659d1cd0ee08cfb50c45481e)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
commit ebc7b2a033d7a80e09dbb0cb51c83029f505d3fc
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:18:20 2015 +0000
Bug 14423 : XSS bug in lateorders
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit 66dc4a9e7d2f11b97f1a4b0f76b5c485c3873683)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
commit 1c82ddcaad2197a372fcc021b18548a3801440ab
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:10:20 2015 +0000
Bug 14423 : XSS in authorities-home
To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
(cherry picked from commit 4b5a87c7ec62cfb796ea7c24aec8a61039e25f5c)
Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/includes/authorities-search.inc | 6 ++---
.../prog/en/modules/acqui/lateorders.tt | 6 ++---
.../en/modules/admin/auth_subfields_structure.tt | 28 ++++++++++----------
.../prog/en/modules/catalogue/results.tt | 6 ++---
.../prog/en/modules/serials/serials-search.tt | 26 +++++++++---------
.../prog/en/modules/suggestion/suggestion.tt | 22 +++++++--------
6 files changed, 47 insertions(+), 47 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list