[koha-commits] main Koha release repository branch 3.20.x updated. v3.20.13-6-ge4bb284
Git repo owner
gitmaster at git.koha-community.org
Wed Aug 3 22:27:03 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.20.x has been updated
via e4bb28460df79282e8d9703bb979f9e70f829c0c (commit)
via be5d63eb8cb8543f698a0a41a88bf749c3a332e9 (commit)
via dbffc29ba7b55594189a923b48b6ae4086cfbe52 (commit)
from dd93d0c662f6a6c0cf2abe236559b30e99f039c4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e4bb28460df79282e8d9703bb979f9e70f829c0c
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed May 25 17:05:58 2016 +0100
Bug 16587: Same fixes for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit be5d63eb8cb8543f698a0a41a88bf749c3a332e9
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Wed May 25 14:06:28 2016 +0000
Bug 16587 opac-sendshelf.pl is vulnerable to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
2/ Notice you get a js alert
3/ Apply patch
4/ Notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit dbffc29ba7b55594189a923b48b6ae4086cfbe52
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Wed May 25 14:01:41 2016 +0000
Bug 16587 - opac-sendbasket.pl is open to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3
Where bib_list is a valid basket number
2/ Notice you get a javascript alert showing
3/ Apply patch
4/ Notice the text is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt | 2 +-
.../intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt | 2 +-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt | 2 +-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendshelfform.tt | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list