[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.16-6-gdefbfa2

Git repo owner gitmaster at git.koha-community.org
Thu Jun 25 09:50:28 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.14.x has been updated
       via  defbfa29079e30a30544b1439f4e49fed98bd32c (commit)
       via  c3d5ded6ec06f3f2f7de8bec8850ce5a78774c54 (commit)
       via  d7fc8ddc4626824b0cebfc0734bcc600cc3a9d8b (commit)
       via  e6835bc1fd9785bf8ed8121aefaffbf9aa3e9e85 (commit)
       via  789593dcbc1664a65d5b4a5e889747ea6834e815 (commit)
       via  e52c242486f9e25b0b40e7f96198ca1c9fdb0c3b (commit)
      from  c95b80d5d9718df73f6474be0a8657eae8450de9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit defbfa29079e30a30544b1439f4e49fed98bd32c
Author: Mason James <mtj at kohaaloha.com>
Date:   Thu Jun 25 06:38:30 2015 +1200

    Bug 14408 (3.16/3.14) regex fix for .tmpl files too
    
    (cherry picked from commit 04d1d375b1a6c9fa40d5df9559d6bd72ccf7d44d)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit c3d5ded6ec06f3f2f7de8bec8850ce5a78774c54
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Mon Jun 22 10:24:51 2015 +0200

    Bug 14408: Allow integers in template paths
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    (cherry picked from commit f7912f86edfae2bbf55f60cb99388113baa2752e)
    
    Conflicts:
    	C4/Auth.pm

commit d7fc8ddc4626824b0cebfc0734bcc600cc3a9d8b
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Fri Jun 19 10:25:30 2015 +0200

    Bug 14408: Add tests to get_template_and_user
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Mason James <mtj at kohaaloha.com>
    (cherry picked from commit 5aaa108274712440c98b92efdbad8657dccfad24)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

commit e6835bc1fd9785bf8ed8121aefaffbf9aa3e9e85
Author: Chris <chris at bigballofwax.co.nz>
Date:   Mon Jun 22 05:23:52 2015 +0000

    Bug 14408 Path Traversal error
    
    Counter counter patch
    Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
    and not allowing ../etc
    
    Note the previous patch tries to protect against /etc/passwd
    but //etc/passwd is now vulnerable.  I do think a whitelist is safer than trying to do a blacklist
    
    /cgi-bin/koha/svc/virtualshelves/search
    /cgi-bin/koha/svc/members/search
    
    Are vulnerable
    
    To test:
    1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
      Notice you get a valid JSON response
    2/ Hit
    /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
      (You may have add more ..%2f or remove them to get the correct path)
      Notice you can see the contents of the /etc/passwd file
    3/ Hit
    /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
    4/ Apply patch
    5/ Hit the first url again, notice it still works
    6/ Hit the second url notice it now errors with a file not found
    7/ Hit the third url notice it now errors with a file not found
    
    Repeat for the other script also
    
    Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Mason James <mtj at kohaaloha.com>
    (cherry picked from commit 9d7b5b843943b87d52c1cdd1e39da7afff5d4982)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    
    Conflicts:
    	C4/Auth.pm

commit 789593dcbc1664a65d5b4a5e889747ea6834e815
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Thu Jun 25 09:35:39 2015 +0200

    Revert "Bug 14408 Path traversal vulnerability"
    
    This reverts commit 7c6ec195181b5cea3f108285f16afb1cd1654783.

commit e52c242486f9e25b0b40e7f96198ca1c9fdb0c3b
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Thu Jun 25 09:35:37 2015 +0200

    Revert "Bug 14408: Add tests to get_template_and_user"
    
    This reverts commit 6977b5b27fc2cc6d04fbbc71ec171a23f5e71f94.

-----------------------------------------------------------------------

Summary of changes:
 C4/Auth.pm            |    5 ++---
 t/db_dependent/Auth.t |   38 +++++++++++++++++++++++++-------------
 2 files changed, 27 insertions(+), 16 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list