[koha-commits] main Koha release repository branch 3.22.x updated. v3.22.10-3-g6ea5931
Git repo owner
gitmaster at git.koha-community.org
Wed Aug 31 11:34:21 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.22.x has been updated
via 6ea5931cf1b1883526936015c35eca0fec07ca3d (commit)
via 7328543f23986206751f624032f6036fbe8c0e41 (commit)
via 64353ccb2dd4f276d3adb6d770daff2294614618 (commit)
from 0e7d621121821437b28fe24779bcd1cf8f9f6f04 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6ea5931cf1b1883526936015c35eca0fec07ca3d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed May 25 17:05:58 2016 +0100
Bug 16587: Same fixes for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
(cherry picked from commit 120967a6a9e777d0f99300fdbb6552943ce6e9af)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
commit 7328543f23986206751f624032f6036fbe8c0e41
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Wed May 25 14:06:28 2016 +0000
Bug 16587 opac-sendshelf.pl is vulnerable to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
2/ Notice you get a js alert
3/ Apply patch
4/ Notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
(cherry picked from commit 4e817ee04c2b5fbc2353ff382c6630322e57d8ae)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
commit 64353ccb2dd4f276d3adb6d770daff2294614618
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Wed May 25 14:01:41 2016 +0000
Bug 16587 - opac-sendbasket.pl is open to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3
Where bib_list is a valid basket number
2/ Notice you get a javascript alert showing
3/ Apply patch
4/ Notice the text is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
(cherry picked from commit 05a014b7668e0c4fa662821f7774ac733fd0cc7f)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt | 2 +-
.../intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt | 2 +-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt | 2 +-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendshelfform.tt | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list