[koha-commits] main Koha release repository branch 3.22.x updated. v3.22.02-85-gdc22711

Git repo owner gitmaster at git.koha-community.org
Fri Feb 12 09:37:00 CET 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.22.x has been updated
       via  dc227112c835d7b5e581da44dfaedccbaf6a1203 (commit)
       via  ba754a4395bcde9bb19bcb12726aef6c45798f74 (commit)
      from  ec9fd6c43f01258d9c26a47d8b8697c62c6887bd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit dc227112c835d7b5e581da44dfaedccbaf6a1203
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu Feb 11 11:32:43 2016 +0000

    Bug 15760: Fix order by direction for shelves
    
    The order_by parameters should not be "$direction $order_by" with
    quote_names enabled. The correct syntax is { -$direction => $order_by }
    
    Test plan for Opac + Staff interfces:
    Sort list by title or whatever and change the direction
    
    Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at unc.edu.ar>
    
    Signed-off-by: Brendan Gallagher brendan at bywatersolutions.com
    (cherry picked from commit 71d4942c30f30fdbdf89a93f59e89a4f28e0dd3f)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

commit ba754a4395bcde9bb19bcb12726aef6c45798f74
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu Feb 11 10:16:12 2016 +0000

    Bug 15760: Avoid SQL injections
    
    Asking on #dbix-class, ribasushi told me to set quote_names to the
    connection options.
    
    Indeed it does the fix, globally :)
    
    Test plan:
    1/ Add the following snippet to the a script (mainpage.pl is a good candidate)
     use Koha::Virtualshelves;
     my $s = Koha::Virtualshelves->search({}, { order_by => '1,(select case when (3*2*1=6 AND 000227=000227) then 1 else 1*(select table_name from information_schema.tables)end)=1' });
     $s->next;
    2/ Execute the script
    => Without the patch, you should not get any error. If you have the mysql logs
    enable, you will see the query
    => With the patch applied, you will get a "unknown column" error
    
    Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
    Signed-off-by: Tomas Cohen Arazi <tomascohen at unc.edu.ar>
    
    Signed-off-by: Brendan Gallagher brendan at bywatersolutions.com
    (cherry picked from commit 16e55c1f3283402f766ed844baa5db333ed2f585)
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 Koha/Database.pm          |    1 +
 Koha/Virtualshelves.pm    |    2 +-
 opac/opac-shelves.pl      |    3 ++-
 virtualshelves/shelves.pl |    3 ++-
 4 files changed, 6 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list