[koha-commits] main Koha release repository branch master updated. v16.05.00-570-g6f5e2f8

Git repo owner gitmaster at git.koha-community.org
Fri Sep 2 16:46:43 CEST 2016

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1 (commit)
      from  0646478be01a63fa0b6dc666f23a915ceefd5619 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Aug 12 11:36:06 2016 +0100

    Bug 17116: Fix CSRF in import_borrowers.pl
    If an attacker can get an authenticated Koha user to visit their page
    with the url below, they can change patrons' information
    The exploit can be simulated triggering
    In that case it won't do anything wrong, but it you POST a valid file,
    it could.
    Test plan:
    Trigger the url above
    => Without this patch, you will the result page
    => With this patch, you will get the "Wrong CSRF token" error.
    Regression test:
    Import a valid file from the import patron form, everything should go
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>


Summary of changes:
 .../prog/en/modules/tools/import_borrowers.tt        |    5 ++++-
 tools/import_borrowers.pl                            |   18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

main Koha release repository

More information about the koha-commits mailing list