[koha-commits] main Koha release repository branch master updated. v16.05.00-570-g6f5e2f8
Git repo owner
gitmaster at git.koha-community.org
Fri Sep 2 16:46:43 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1 (commit)
from 0646478be01a63fa0b6dc666f23a915ceefd5619 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Aug 12 11:36:06 2016 +0100
Bug 17116: Fix CSRF in import_borrowers.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' information
The exploit can be simulated triggering
/tools/import_borrowers.pl?uploadborrowers=42
In that case it won't do anything wrong, but it you POST a valid file,
it could.
Test plan:
Trigger the url above
=> Without this patch, you will the result page
=> With this patch, you will get the "Wrong CSRF token" error.
Regression test:
Import a valid file from the import patron form, everything should go
fine.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/modules/tools/import_borrowers.tt | 5 ++++-
tools/import_borrowers.pl | 18 ++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list