[koha-commits] main Koha release repository branch master updated. v3.22.00-492-g71d4942

Git repo owner gitmaster at git.koha-community.org
Thu Feb 11 20:38:24 CET 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  71d4942c30f30fdbdf89a93f59e89a4f28e0dd3f (commit)
       via  16e55c1f3283402f766ed844baa5db333ed2f585 (commit)
      from  a8942c28847e145f74e8373c3447313672cafe1d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 71d4942c30f30fdbdf89a93f59e89a4f28e0dd3f
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu Feb 11 11:32:43 2016 +0000

    Bug 15760: Fix order by direction for shelves
    
    The order_by parameters should not be "$direction $order_by" with
    quote_names enabled. The correct syntax is { -$direction => $order_by }
    
    Test plan for Opac + Staff interfces:
    Sort list by title or whatever and change the direction
    
    Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at unc.edu.ar>
    
    Signed-off-by: Brendan Gallagher brendan at bywatersolutions.com

commit 16e55c1f3283402f766ed844baa5db333ed2f585
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu Feb 11 10:16:12 2016 +0000

    Bug 15760: Avoid SQL injections
    
    Asking on #dbix-class, ribasushi told me to set quote_names to the
    connection options.
    
    Indeed it does the fix, globally :)
    
    Test plan:
    1/ Add the following snippet to the a script (mainpage.pl is a good candidate)
     use Koha::Virtualshelves;
     my $s = Koha::Virtualshelves->search({}, { order_by => '1,(select case when (3*2*1=6 AND 000227=000227) then 1 else 1*(select table_name from information_schema.tables)end)=1' });
     $s->next;
    2/ Execute the script
    => Without the patch, you should not get any error. If you have the mysql logs
    enable, you will see the query
    => With the patch applied, you will get a "unknown column" error
    
    Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at unc.edu.ar>
    
    Signed-off-by: Brendan Gallagher brendan at bywatersolutions.com

-----------------------------------------------------------------------

Summary of changes:
 Koha/Database.pm          |    1 +
 Koha/Virtualshelves.pm    |    2 +-
 opac/opac-shelves.pl      |    3 ++-
 virtualshelves/shelves.pl |    3 ++-
 4 files changed, 6 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list