[koha-commits] main Koha release repository branch master updated. v3.20.00-230-gcad134c
Git repo owner
gitmaster at git.koha-community.org
Tue Jun 23 15:18:43 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via cad134cd172c50dd55bf11696d69460bc2bf547d (commit)
via 55103ad860c42e5e0dc52b8d186c7266e5377f0a (commit)
via 198e6669eeb68519b4909d99631d84aed068845e (commit)
via f05931e05154cc85df4036fe7c4acdfc0ddb5995 (commit)
via fc6789c20636f8104854b74209b658634831f4e5 (commit)
via 887bb6d510aaafc94b7a59fea62f773f3ce83116 (commit)
via 603a111d3a711148fbcecd293b0a8b89fa0b0fc6 (commit)
via d87b8a5cf3458492c67c424b3f811ac0085599f0 (commit)
via a5489d993615996e1e125e945870dce92c7d1c10 (commit)
via 91a8584aa845fb1695a46fe3b89197f7d1365d94 (commit)
via c08063d037d9cff0e7b5e390919c88e5edb5a150 (commit)
via 3601c6fb1b19ef52cf441b473b34d98a17bc887a (commit)
via 98901d27be4cf6fd6210ebb32b9cddf2fcd827a0 (commit)
via d8bccd612638c4728f561972daf7f70d49d263a5 (commit)
from 64e47c63dc59669c3c651b93630c470e06107fd6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cad134cd172c50dd55bf11696d69460bc2bf547d
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Tue Jun 16 18:16:27 2015 +0200
Bug 13962: Add link to the vendor detail page
This patch 1/ uses the class of the th to filter the columns and 2/ adds
a link on the vendor name to the vendor detail page.
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 55103ad860c42e5e0dc52b8d186c7266e5377f0a
Author: Katrin Fischer <Katrin.Fischer.83 at web.de>
Date: Wed Jun 10 00:34:50 2015 +0200
Bug 13962: Add vendor to acq details tab in staff
Implementing some feedback from our user meeting:
The acquisition details tab on the detail page
in staff should also show the vendor of the
order.
To test:
- Make sure AcquisitionDetails is active.
- Create an order or look up an order in the
acqusition module.
- Go to the ordered record and check the
'Acquisition details' tab
- Verify the vendor shows up there as first
column now
- Check that sorting and display of the other
columns are still working correctly
Note: Also fixes a </th> that should be a </td>
Signed-off-by: Aleisha <aleishaamohia at hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 198e6669eeb68519b4909d99631d84aed068845e
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Tue Jun 23 10:40:15 2015 +0200
Bug 14324: Display "Add Child" for Organisations on circ/circulation.pl
On moremember, the button is displayed for Organisations.
To be consistent, it should be displayed on the circulation page too.
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit f05931e05154cc85df4036fe7c4acdfc0ddb5995
Author: Barton Chittenden <barton at bywatersolutions.com>
Date: Thu Jun 18 13:31:28 2015 -0700
Bug 14324: Set "adultborrower" regardless of guarantor status.
Signed-off-by: Jason Robb - SEKLS (jrobb at sekls.org)
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit fc6789c20636f8104854b74209b658634831f4e5
Author: Jonathan Druart <jonathan.druart at biblibre.com>
Date: Wed Apr 1 16:23:48 2015 +0200
Bug 8802: On editing a library group category type is not set
The category type was always set to 'searchdomain', because it's the
first of the dropdown list.
Test plan:
1/ Create or edit a library group
2/ Set the category type to "properties"
3/ Edit it again
4/ Confirm "properties" is correctly selected
Signed-off-by: Nick Clemens <nick at quecheelibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 887bb6d510aaafc94b7a59fea62f773f3ce83116
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 12:37:09 2015 +1200
Bug 14423: tab characters in auth_subfields_structure
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 603a111d3a711148fbcecd293b0a8b89fa0b0fc6
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:35:07 2015 +0000
Bug 14423: Multiple XSS bugs in suggestion.pl
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone
Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit d87b8a5cf3458492c67c424b3f811ac0085599f0
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:20:51 2015 +0000
Bug 14423: Multiple XSS vulnerabilities in serials-search
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed
Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit a5489d993615996e1e125e945870dce92c7d1c10
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:01:32 2015 +0000
Bug 14423: XSS bugs in catalogue search
To test
1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 91a8584aa845fb1695a46fe3b89197f7d1365d94
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:46:40 2015 +0000
Bug 14423: XSS issues in marc_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice all the alert boxes
3/ Apply patch
4/ Reload page, no more alerts
5/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit c08063d037d9cff0e7b5e390919c88e5edb5a150
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:33:13 2015 +0000
Bug 14423: XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 3601c6fb1b19ef52cf441b473b34d98a17bc887a
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:18:20 2015 +0000
Bug 14423: XSS bug in lateorders
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit 98901d27be4cf6fd6210ebb32b9cddf2fcd827a0
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:10:20 2015 +0000
Bug 14423: XSS in authorities-home
To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
commit d8bccd612638c4728f561972daf7f70d49d263a5
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Mon Jun 22 10:56:26 2015 +0200
Bug 14426: Escape or use placeholders for sql parameters
Does this patch enough to prevent sql injection in borrowers_out.pl?
====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')"
| nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')"
| nc testbox 9002
====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a"
| nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b"
| nc testbox 9002
====================================================================
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
-----------------------------------------------------------------------
Summary of changes:
admin/branches.pl | 2 +-
circ/circulation.pl | 4 +-
.../prog/en/includes/authorities-search.inc | 6 +--
.../prog/en/modules/acqui/lateorders.tt | 6 +--
.../en/modules/admin/auth_subfields_structure.tt | 28 ++++++-------
.../en/modules/admin/marc_subfields_structure.tt | 28 ++++++-------
.../prog/en/modules/catalogue/detail.tt | 16 +++++---
.../prog/en/modules/catalogue/results.tt | 6 +--
.../prog/en/modules/serials/serials-search.tt | 26 ++++++-------
.../prog/en/modules/suggestion/suggestion.tt | 22 +++++------
members/moremember.pl | 3 +-
reports/borrowers_out.pl | 41 +++++++++++++-------
12 files changed, 103 insertions(+), 85 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list