[koha-commits] main Koha release repository branch master updated. v16.05.00-457-g09d0b13
Git repo owner
gitmaster at git.koha-community.org
Wed Aug 10 15:22:26 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 09d0b1310bda677b6939b59ea8a68f84e2ec93f6 (commit)
from 893f6cc2633744d4f539fd1b6b9f4b8837277d2d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 09d0b1310bda677b6939b59ea8a68f84e2ec93f6
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Jul 28 12:55:43 2016 +0100
Bug 16993: Fix CSRF in memberentry.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' passwords or other
patrons'details
members/memberentry.pl?op=save&destination=circ&borrowernumber=3435&password=ZZZ&password2=ZZZ&nodouble=1
Test plan:
Trigger
members/memberentry.pl?op=save&destination=circ&borrowernumber=42&password=ZZZ&password2=ZZZ&nodouble=1
=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Amended: removed the commented use Digest::MD5-line.
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/modules/members/memberentrygen.tt | 3 +++
members/memberentry.pl | 22 ++++++++++++++++++--
2 files changed, 23 insertions(+), 2 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list