[koha-commits] main Koha release repository branch master updated. v16.05.00-463-g06d1259

Git repo owner gitmaster at git.koha-community.org
Wed Aug 10 15:32:31 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  06d1259e56e7a662b1449fa54b9b408afdbf6cc8 (commit)
       via  2785183a6b3c1bc231f78a0e506617379ea3998e (commit)
      from  01e041ca40606c48a507bc64a8e3edf7ea11b2c5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 06d1259e56e7a662b1449fa54b9b408afdbf6cc8
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu Jul 28 11:54:11 2016 +0100

    Bug 16992: FIX CSRF in member-password.pl
    
    If an attacker can get an authenticated Koha user to visit their page with the
    url below, they can change patrons' passwords
    /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked
    
    Test plan:
    
    Trigger
    /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked
    
    => Without this patch, the password will be updated
    => With this patch applied you will get a crash "Wrong CSRF token" (no
    need to stylish)
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

commit 2785183a6b3c1bc231f78a0e506617379ea3998e
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date:   Fri Jul 29 13:16:40 2016 +0200

    Bug 16992: [QA Follow-up] Member-password should pass an userid
    
    If we do not fill a new userid, we should keep the old one.
    Script member-password should pass that to Koha::Patron.
    Otherwise things go wrong.
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Without this patch, you could effectively disable a login.
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>

-----------------------------------------------------------------------

Summary of changes:
 .../prog/en/modules/members/member-password.tt          |    6 +++++-
 members/member-password.pl                              |   15 ++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list