[koha-commits] main Koha release repository branch master updated. v16.05.00-beta-34-g120967a
Git repo owner
gitmaster at git.koha-community.org
Thu May 26 00:05:30 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 120967a6a9e777d0f99300fdbb6552943ce6e9af (commit)
via 4e817ee04c2b5fbc2353ff382c6630322e57d8ae (commit)
via 05a014b7668e0c4fa662821f7774ac733fd0cc7f (commit)
from 97028f4b8904387df267fa3a43f7b1bc852a0bf3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 120967a6a9e777d0f99300fdbb6552943ce6e9af
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed May 25 17:05:58 2016 +0100
Bug 16587: Same fixes for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
commit 4e817ee04c2b5fbc2353ff382c6630322e57d8ae
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Wed May 25 14:06:28 2016 +0000
Bug 16587 opac-sendshelf.pl is vulnerable to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4
2/ Notice you get a js alert
3/ Apply patch
4/ Notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
commit 05a014b7668e0c4fa662821f7774ac733fd0cc7f
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Wed May 25 14:01:41 2016 +0000
Bug 16587 - opac-sendbasket.pl is open to XSS
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3
Where bib_list is a valid basket number
2/ Notice you get a javascript alert showing
3/ Apply patch
4/ Notice the text is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt | 2 +-
.../intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt | 2 +-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt | 2 +-
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendshelfform.tt | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list