[koha-commits] main Koha release repository branch master updated. v16.05.00-883-gda03dbd
Git repo owner
gitmaster at git.koha-community.org
Thu Sep 15 15:33:18 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via da03dbd458c59da0b9213efacd3425e89b453332 (commit)
from a9caebc288463689d6c2a732ee8b900a3ab34a21 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit da03dbd458c59da0b9213efacd3425e89b453332
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Aug 12 10:42:28 2016 +0100
Bug 17114: Fix XSS in picture-upload.pl
To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert
Note that the cardnumber var was not escaped neither, it's now.
Signed-off-by: Colin Campbell <colin.campbell at ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list