[koha-commits] main Koha release repository branch 3.16.x updated. v3.16.12-7-g04d1d37

Git repo owner gitmaster at git.koha-community.org
Wed Jun 24 21:17:03 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.16.x has been updated
       via  04d1d375b1a6c9fa40d5df9559d6bd72ccf7d44d (commit)
       via  f7912f86edfae2bbf55f60cb99388113baa2752e (commit)
       via  5aaa108274712440c98b92efdbad8657dccfad24 (commit)
       via  9d7b5b843943b87d52c1cdd1e39da7afff5d4982 (commit)
       via  9c01b36a1f38185184bfaa502f04c2e3ec63022e (commit)
       via  12f30f80689ad255299faf666ac98f814e98c5a6 (commit)
      from  e89101271ac63d4c2d86474e0a7640b34f0e85b7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 04d1d375b1a6c9fa40d5df9559d6bd72ccf7d44d
Author: Mason James <mtj at kohaaloha.com>
Date:   Thu Jun 25 06:38:30 2015 +1200

    Bug 14408 (3.16/3.14) regex fix for .tmpl files too

commit f7912f86edfae2bbf55f60cb99388113baa2752e
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Mon Jun 22 10:24:51 2015 +0200

    Bug 14408: Allow integers in template paths
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>

commit 5aaa108274712440c98b92efdbad8657dccfad24
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Fri Jun 19 10:25:30 2015 +0200

    Bug 14408: Add tests to get_template_and_user
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 9d7b5b843943b87d52c1cdd1e39da7afff5d4982
Author: Chris <chris at bigballofwax.co.nz>
Date:   Mon Jun 22 05:23:52 2015 +0000

    Bug 14408 Path Traversal error
    
    Counter counter patch
    Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
    and not allowing ../etc
    
    Note the previous patch tries to protect against /etc/passwd
    but //etc/passwd is now vulnerable.  I do think a whitelist is safer than trying to do a blacklist
    
    /cgi-bin/koha/svc/virtualshelves/search
    /cgi-bin/koha/svc/members/search
    
    Are vulnerable
    
    To test:
    1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
      Notice you get a valid JSON response
    2/ Hit
    /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
      (You may have add more ..%2f or remove them to get the correct path)
      Notice you can see the contents of the /etc/passwd file
    3/ Hit
    /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
    4/ Apply patch
    5/ Hit the first url again, notice it still works
    6/ Hit the second url notice it now errors with a file not found
    7/ Hit the third url notice it now errors with a file not found
    
    Repeat for the other script also
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 9c01b36a1f38185184bfaa502f04c2e3ec63022e
Author: Mason James <mtj at kohaaloha.com>
Date:   Thu Jun 25 05:05:33 2015 +1200

    Revert "Bug 14408 Path traversal vulnerability"
    
    This reverts commit 0b7647eff31c85d8f7e1e5a50fd82d3b94eec816.

commit 12f30f80689ad255299faf666ac98f814e98c5a6
Author: Mason James <mtj at kohaaloha.com>
Date:   Thu Jun 25 05:05:14 2015 +1200

    Revert "Bug 14408: Add tests to get_template_and_user"
    
    This reverts commit e8a3febfe7050870116db0512e1a39690a72346c.

-----------------------------------------------------------------------

Summary of changes:
 C4/Auth.pm            |    6 +++---
 t/db_dependent/Auth.t |   38 +++++++++++++++++++++++++-------------
 2 files changed, 28 insertions(+), 16 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list