[koha-commits] main Koha release repository branch master updated. v16.05.00-153-gf017208

Git repo owner gitmaster at git.koha-community.org
Fri Jun 24 13:46:24 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  f01720808a574af9872ef3f562a8f3cee7f81060 (commit)
      from  33f1354b7b50390b43e5a2f66e1abe58817e6d4d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f01720808a574af9872ef3f562a8f3cee7f81060
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu May 26 11:52:19 2016 +0100

    Bug 16593: Do not allow patrons to delete search history of others patrons
    
    A malicious user can delete the search history of all other users by
    correctly guessing the ID value assigned to the victim's search. As
    searches are assigned values sequentially, an attacker could quickly
    remove the searches belonging to all of the application's users.
    
    To reproduce:
    Login with patron A
    launch a search
    Note the id generated for this search history:
    select id from search_history order by id desc limit 1;
    Login with patron B
    Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
    Note that the row is deleted in the DB
    
    Test plan
    Confirm that this patch fixes the issue.
    The same test can be made at the staff interface
    
    Reported by Alex Middleton at Dionach
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 catalogue/search-history.pl |    3 ++-
 opac/opac-search-history.pl |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list