[koha-commits] main Koha release repository branch 3.22.x updated. v3.22.05-74-g7729ace

Git repo owner gitmaster at git.koha-community.org
Fri Apr 22 10:48:43 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.22.x has been updated
       via  7729ace7fa6fae2aec48abe80ea36d4f81197cbe (commit)
       via  57fc49475db35b965ea50e5b60114fa46b2be37f (commit)
       via  45e39882432dd9fdae0fc1b1ef7b7b8b09a9480a (commit)
       via  201e1f239728f3656f5f71792a7d5ce9b5a05144 (commit)
       via  c97a01e1330ab5b1b1df7029d2149efa0deb19a4 (commit)
      from  2b5387e9013b0e3ecc2d6135a5a81f8d26f81329 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7729ace7fa6fae2aec48abe80ea36d4f81197cbe
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Apr 8 10:04:20 2016 +0100

    Bug 16210: Set X-Frame-Options to SAMEORIGIN in 2 other places
    
    The login page should not be displayed if the page is displayed in a
    frame.
    
    Signed-off-by: Marc Véron <veron at veron.ch>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Brendan Gallagher <bredan at bywatersolutions.com>
    (cherry picked from commit 6efa491d1b2f92fa407aa49c7b678f9b642fc83f)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

commit 57fc49475db35b965ea50e5b60114fa46b2be37f
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Apr 8 10:03:24 2016 +0100

    Bug 16210: Revert OPAC changes from Bug 15111
    
    This patch reverts the changes made at the OPAC from the following
    patches:
    
    Do not include the antiClickjack legacy browser trick for greybox"
    
    Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
    This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe.
    
    Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
    This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df.
    
    Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
    This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929.
    
    Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
    https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
    
    The antiClickjack trick should be removed at the OPAC as we want to keep
    the OPAC usable even if the user has disabled JS.
    That means the OPAC will be vulnerable to XFS if a user is navigating
    with a prehistoric browser:
    Firefox 3.6.9 September 2010
    IE 8    March 2008
    Opera 10.5  March 2010
    Safari 4  February 2009
    Chrome 4.1.…  somewhen 2010
    
    Test plan:
    Confirm that there are no regression of bug 15111 with modern browsers
    
    Signed-off-by: Marc Véron <veron at veron.ch>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Brendan Gallagher <bredan at bywatersolutions.com>
    (cherry picked from commit d496d03e8aa3079e0d29837b27b31b9a55afd02e)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

commit 45e39882432dd9fdae0fc1b1ef7b7b8b09a9480a
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Mon Feb 22 09:24:29 2016 +0000

    Bug 15111: Do not include the antiClickjack legacy browser trick for greybox
    
    Most of the scripts called via greybox (which uses iframe) don't include
    doc-head-close. But some do.
    This patch adds a popup parameter for these templates, not to include
    the legacy browser trick and avoid the replacement of the location.
    
    Test plan:
    1/ Export patroncard and label
    2/ translate itemtypes
    3/ click on a idref link at the OPAC
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    (cherry picked from commit fc640d2a86f395ad392f84314bce22e8b4dab1fe)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

commit 201e1f239728f3656f5f71792a7d5ce9b5a05144
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Nov 13 08:19:57 2015 +0000

    Bug 15111: Change X-Frame-Options with SAMEORIGIN
    
    There are some places where frames are used, the greybox JS plugin for
    instance.
    
    We need either to allow them from Koha or replace this plugin.
    The easier for now is to switch the value from DENY with SAMEORIGIN.
    
    Test plan:
    - modify a record in a batch (tools/batch_record_modification.pl)
    - click on preview marc
    => With only the previous patch you will get a blank page.
    => With this patch apply, it will work as expected.
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    (cherry picked from commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

commit c97a01e1330ab5b1b1df7029d2149efa0deb19a4
Author: Kyle M Hall <kyle at bywatersolutions.com>
Date:   Mon Nov 2 12:11:17 2015 -0500

    Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks
    
    Web pages that can be embedded in frames are vulnerable to cross-frame
    scripting attacks. Cross-frame scripting is a type of phishing attack
    that involves instructions to an unsuspecting user to follow a specific
    link to update confidential information in an online application.
    Because the link leads to a legitimate page from the online application
    that is embedded in a frame hosted by the attackers' server, the
    attackers can capture all the information that the user enters.
    
    https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    (cherry picked from commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 C4/Auth.pm                                             |   16 ++++++++++------
 C4/Output.pm                                           |   11 ++++++-----
 .../intranet-tmpl/prog/en/includes/doc-head-close.inc  |   14 ++++++++++++++
 .../prog/en/modules/admin/localization.tt              |    2 +-
 .../prog/en/modules/labels/label-print.tt              |    2 +-
 .../intranet-tmpl/prog/en/modules/patroncards/print.tt |    2 +-
 6 files changed, 33 insertions(+), 14 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list