[koha-commits] main Koha release repository branch master updated. v16.05.00-883-gda03dbd

Git repo owner gitmaster at git.koha-community.org
Thu Sep 15 15:33:18 CEST 2016

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  da03dbd458c59da0b9213efacd3425e89b453332 (commit)
      from  a9caebc288463689d6c2a732ee8b900a3ab34a21 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit da03dbd458c59da0b9213efacd3425e89b453332
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Aug 12 10:42:28 2016 +0100

    Bug 17114: Fix XSS in picture-upload.pl
    To reproduce:
    1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
    2/ Use the upload picture tool to upload this file
    => Without this patch, the alert is show
    => With this patch, the filename is correctly displayed and no alert
    Note that the cardnumber var was not escaped neither, it's now.
    Signed-off-by: Colin Campbell <colin.campbell at ptfs-europe.com>
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>


Summary of changes:
 koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

main Koha release repository

More information about the koha-commits mailing list