[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-28-g6977b5b

Git repo owner gitmaster at git.koha-community.org
Tue Jun 23 17:49:40 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.14.x has been updated
       via  6977b5b27fc2cc6d04fbbc71ec171a23f5e71f94 (commit)
       via  7c6ec195181b5cea3f108285f16afb1cd1654783 (commit)
       via  94c66f92ee11b81889dd6550acd664f2344cd19f (commit)
       via  944c786441c2fccaf786220c33a0f141cc94b999 (commit)
       via  a1bc481b33fb3075b8bb8949bb8c34fb94286223 (commit)
       via  1f7fa4fadcd9037a7ebefacde63aea607e913c08 (commit)
      from  910951512bd240df36ab18f3eb083afe0d75dfaf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6977b5b27fc2cc6d04fbbc71ec171a23f5e71f94
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Fri Jun 19 10:25:30 2015 +0200

    Bug 14408: Add tests to get_template_and_user
    
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    Signed-off-by: Mason James <mtj at kohaaloha.com>
    (cherry picked from commit e8a3febfe7050870116db0512e1a39690a72346c)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit 7c6ec195181b5cea3f108285f16afb1cd1654783
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Fri Jun 19 10:12:45 2015 +0200

    Bug 14408 Path traversal vulnerability
    
    /cgi-bin/koha/svc/virtualshelves/search
    /cgi-bin/koha/svc/members/search
    
    Are vulnerable
    
    To test:
    1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
      Notice you get a valid JSON response
    2/ Hit
    /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
      (You may have add more ..%2f or remove them to get the correct path)
      Notice you can see the contents of the /etc/passwd file
    3/ Hit
    /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
    4/ Apply patch
    5/ Hit the first url again, notice it still works
    6/ Hit the second url notice it now errors with a file not found
    7/ Hit the third url notice it now errors with a file not found
    
    Repeat for the other script also
    
    Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    Signed-off-by: Mason James <mtj at kohaaloha.com>
    (cherry picked from commit 0b7647eff31c85d8f7e1e5a50fd82d3b94eec816)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    
    Conflicts:
    	C4/Auth.pm

commit 94c66f92ee11b81889dd6550acd664f2344cd19f
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Tue Jun 23 17:49:32 2015 +0200

    Revert "Bug 14408: Path Traversal error"
    
    This reverts commit 2870086da0070dad38bdb4a22be9e07dd1c8c713.

commit 944c786441c2fccaf786220c33a0f141cc94b999
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Tue Jun 23 17:49:30 2015 +0200

    Revert "Bug 14408: Add tests to get_template_and_user"
    
    This reverts commit 656b2dc36c324b7368c4541ff6288c9451a774bb.

commit a1bc481b33fb3075b8bb8949bb8c34fb94286223
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Tue Jun 23 17:49:27 2015 +0200

    Revert "Bug 14408: Allow integers in template paths"
    
    This reverts commit 253b6f1f51cc73f36829658be5c8d905b2e36909.

commit 1f7fa4fadcd9037a7ebefacde63aea607e913c08
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Tue Jun 23 17:49:23 2015 +0200

    Revert "Bug 14408: Allow tmpl and empty in template paths"
    
    This reverts commit 4e1b447b4cd9e4781b03fbf78fe027ca80580a33.

-----------------------------------------------------------------------

Summary of changes:
 C4/Auth.pm            |    5 +++--
 t/db_dependent/Auth.t |   38 +++++++++++++-------------------------
 2 files changed, 16 insertions(+), 27 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list