[koha-commits] main Koha release repository branch 3.16.x updated. v3.16.12-7-g04d1d37
Git repo owner
gitmaster at git.koha-community.org
Wed Jun 24 21:17:03 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.16.x has been updated
via 04d1d375b1a6c9fa40d5df9559d6bd72ccf7d44d (commit)
via f7912f86edfae2bbf55f60cb99388113baa2752e (commit)
via 5aaa108274712440c98b92efdbad8657dccfad24 (commit)
via 9d7b5b843943b87d52c1cdd1e39da7afff5d4982 (commit)
via 9c01b36a1f38185184bfaa502f04c2e3ec63022e (commit)
via 12f30f80689ad255299faf666ac98f814e98c5a6 (commit)
from e89101271ac63d4c2d86474e0a7640b34f0e85b7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 04d1d375b1a6c9fa40d5df9559d6bd72ccf7d44d
Author: Mason James <mtj at kohaaloha.com>
Date: Thu Jun 25 06:38:30 2015 +1200
Bug 14408 (3.16/3.14) regex fix for .tmpl files too
commit f7912f86edfae2bbf55f60cb99388113baa2752e
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Mon Jun 22 10:24:51 2015 +0200
Bug 14408: Allow integers in template paths
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 5aaa108274712440c98b92efdbad8657dccfad24
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Fri Jun 19 10:25:30 2015 +0200
Bug 14408: Add tests to get_template_and_user
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 9d7b5b843943b87d52c1cdd1e39da7afff5d4982
Author: Chris <chris at bigballofwax.co.nz>
Date: Mon Jun 22 05:23:52 2015 +0000
Bug 14408 Path Traversal error
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search
Are vulnerable
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 9c01b36a1f38185184bfaa502f04c2e3ec63022e
Author: Mason James <mtj at kohaaloha.com>
Date: Thu Jun 25 05:05:33 2015 +1200
Revert "Bug 14408 Path traversal vulnerability"
This reverts commit 0b7647eff31c85d8f7e1e5a50fd82d3b94eec816.
commit 12f30f80689ad255299faf666ac98f814e98c5a6
Author: Mason James <mtj at kohaaloha.com>
Date: Thu Jun 25 05:05:14 2015 +1200
Revert "Bug 14408: Add tests to get_template_and_user"
This reverts commit e8a3febfe7050870116db0512e1a39690a72346c.
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 6 +++---
t/db_dependent/Auth.t | 38 +++++++++++++++++++++++++-------------
2 files changed, 28 insertions(+), 16 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list