[koha-commits] main Koha release repository branch 3.22.x updated. v3.22.09-8-geb991bf

Git repo owner gitmaster at git.koha-community.org
Tue Aug 16 14:19:07 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.22.x has been updated
       via  eb991bfcf96290aabf0c05085a8eaedafc530530 (commit)
      from  b3266093f8c9e2d989dfc13a566958d617fafd26 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit eb991bfcf96290aabf0c05085a8eaedafc530530
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu May 26 11:52:19 2016 +0100

    Bug 16593: Do not allow patrons to delete search history of others patrons
    
    A malicious user can delete the search history of all other users by
    correctly guessing the ID value assigned to the victim's search. As
    searches are assigned values sequentially, an attacker could quickly
    remove the searches belonging to all of the application's users.
    
    To reproduce:
    Login with patron A
    launch a search
    Note the id generated for this search history:
    select id from search_history order by id desc limit 1;
    Login with patron B
    Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
    Note that the row is deleted in the DB
    
    Test plan
    Confirm that this patch fixes the issue.
    The same test can be made at the staff interface
    
    Reported by Alex Middleton at Dionach
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    (cherry picked from commit f01720808a574af9872ef3f562a8f3cee7f81060)
    Signed-off-by: Frédéric Demians <f.demians at tamil.fr>
    (cherry picked from commit 0974bb38889dc5ca2b0abf68715a296d49087f3e)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 catalogue/search-history.pl |    3 ++-
 opac/opac-search-history.pl |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list