[koha-commits] main Koha release repository branch 3.20.x updated. v3.20.13-3-gdd93d0c

Git repo owner gitmaster at git.koha-community.org
Wed Aug 3 22:25:56 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.20.x has been updated
       via  dd93d0c662f6a6c0cf2abe236559b30e99f039c4 (commit)
       via  59458a37813fede6b4f278682184aa6a275f3bc0 (commit)
      from  1e908ec9c647d5bc31448a1cf644d3636b2bd213 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit dd93d0c662f6a6c0cf2abe236559b30e99f039c4
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu May 26 11:52:19 2016 +0100

    Bug 16593: Do not allow patrons to delete search history of others patrons
    
    A malicious user can delete the search history of all other users by
    correctly guessing the ID value assigned to the victim's search. As
    searches are assigned values sequentially, an attacker could quickly
    remove the searches belonging to all of the application's users.
    
    To reproduce:
    Login with patron A
    launch a search
    Note the id generated for this search history:
    select id from search_history order by id desc limit 1;
    Login with patron B
    Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
    Note that the row is deleted in the DB
    
    Test plan
    Confirm that this patch fixes the issue.
    The same test can be made at the staff interface
    
    Reported by Alex Middleton at Dionach
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit 59458a37813fede6b4f278682184aa6a275f3bc0
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Jul 22 08:14:27 2016 +0100

    Bug 16958: Fix XSS in opac-imageviewer.pl
    
    Test plan:
    Trigger
    /opac-imageviewer.pl?biblionumber=14&imagenumber=7"><sCrIpT>alert(42)<%2fsCrIpT>
    
    => Without this patch you will see the JS alert
    => With this patch applied you won't see it
    
    Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 catalogue/search-history.pl                                  |    3 ++-
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-imageviewer.tt |    6 +++---
 opac/opac-search-history.pl                                  |    3 ++-
 3 files changed, 7 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list