This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 779fa7c6da03fd3173de4a5c21d5615b83ac3ee4 (commit)
from 2279a2fea05bc4d6e27b239f45c5d5733a37eef2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 779fa7c6da03fd3173de4a5c21d5615b83ac3ee4
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu May 26 12:33:13 2016 +0100
Bug 16591: Fix CSRF in opac-memberentry
If an attacker can get an authenticated Koha user to visit their page
with the code below, they can update the victim's details to arbitrary
values.
Test plan:
Trigger
/cgi-bin/koha/opac-memberentry.pl?action=update&borrower_B_city=HACKED&borrower_firstname=KOHA&borrower_surname=test
=> Without this patch, the update will be done (or modification
request)
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Do some regression tests with this patch applied (Update patron infos)
QA note: I am not sure it's useful to create a digest of the DB pass,
but just in case...
Reported by Alex Middleton at Dionach.
Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Installer/PerlDependencies.pm | 5 +++++
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-memberentry.tt | 1 +
opac/opac-memberentry.pl | 10 +++++++++-
3 files changed, 15 insertions(+), 1 deletion(-)
hooks/post-receive
--
main Koha release repository