[koha-commits] main Koha release repository branch 3.20.x updated. v3.20.13-6-ge4bb284

Git repo owner gitmaster at git.koha-community.org
Wed Aug 3 22:27:03 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.20.x has been updated
       via  e4bb28460df79282e8d9703bb979f9e70f829c0c (commit)
       via  be5d63eb8cb8543f698a0a41a88bf749c3a332e9 (commit)
       via  dbffc29ba7b55594189a923b48b6ae4086cfbe52 (commit)
      from  dd93d0c662f6a6c0cf2abe236559b30e99f039c4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e4bb28460df79282e8d9703bb979f9e70f829c0c
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Wed May 25 17:05:58 2016 +0100

    Bug 16587: Same fixes for the staff interface
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

commit be5d63eb8cb8543f698a0a41a88bf749c3a332e9
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date:   Wed May 25 14:06:28 2016 +0000

    Bug 16587 opac-sendshelf.pl is vulnerable to XSS
    
    To test
    1/ Hit a url like
    http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
    2/ Notice you get a js alert
    3/ Apply patch
    4/ Notice the js is now escaped
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

commit dbffc29ba7b55594189a923b48b6ae4086cfbe52
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date:   Wed May 25 14:01:41 2016 +0000

    Bug 16587 - opac-sendbasket.pl is open to XSS
    
    To test
    1/ Hit a url like
    http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3
    
    Where bib_list is a valid basket number
    2/ Notice you get a javascript alert showing
    3/ Apply patch
    4/ Notice the text is now escaped
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt     |    2 +-
 .../intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt    |    2 +-
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt      |    2 +-
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendshelfform.tt       |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list