[koha-commits] main Koha release repository branch 3.20.x updated. v3.20.13-3-gdd93d0c
Git repo owner
gitmaster at git.koha-community.org
Wed Aug 3 22:25:56 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.20.x has been updated
via dd93d0c662f6a6c0cf2abe236559b30e99f039c4 (commit)
via 59458a37813fede6b4f278682184aa6a275f3bc0 (commit)
from 1e908ec9c647d5bc31448a1cf644d3636b2bd213 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dd93d0c662f6a6c0cf2abe236559b30e99f039c4
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu May 26 11:52:19 2016 +0100
Bug 16593: Do not allow patrons to delete search history of others patrons
A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.
To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB
Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface
Reported by Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
commit 59458a37813fede6b4f278682184aa6a275f3bc0
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jul 22 08:14:27 2016 +0100
Bug 16958: Fix XSS in opac-imageviewer.pl
Test plan:
Trigger
/opac-imageviewer.pl?biblionumber=14&imagenumber=7"><sCrIpT>alert(42)<%2fsCrIpT>
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it
Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
catalogue/search-history.pl | 3 ++-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-imageviewer.tt | 6 +++---
opac/opac-search-history.pl | 3 ++-
3 files changed, 7 insertions(+), 5 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list