[koha-commits] main Koha release repository branch master updated. v16.05.00-885-gbe2b61f

Git repo owner gitmaster at git.koha-community.org
Thu Sep 15 15:34:16 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  be2b61f9e510a3bca629e12422a4e3529a9e473d (commit)
       via  11bf7e7bef856d5d90126c19f897d060cb4c9d9d (commit)
      from  da03dbd458c59da0b9213efacd3425e89b453332 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit be2b61f9e510a3bca629e12422a4e3529a9e473d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Mon Sep 5 10:44:06 2016 +0100

    Bug 17146: Raise Wrong CSRF token warnin for the 'Delete' action
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

commit 11bf7e7bef856d5d90126c19f897d060cb4c9d9d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Thu Aug 18 15:52:38 2016 +0100

    Bug 17146: Fix CSRF in picture-upload.pl
    
    If an attacker can get an authenticated Koha user to visit their page
    with the
    url below, they can change or delete patrons' images
    /tools/picture-upload.pl?op=Delete&borrowernumber=42
    
    Test plan:
    1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
    And confirm that you get a "Wrong CSRF token" error
    2/ Go on the patron detail page with a patron's image
    3/ Click on the Delete link (note the csrf_token param)
    4/ The image will be deleted and you are redirected to the patron detail
    page.
    
    Regression tests:
    Upload an image from the patron detail page and from the "upload patron
    images" tool.
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 .../prog/en/modules/members/moremember.tt          |    3 ++-
 .../prog/en/modules/tools/picture-upload.tt        |    1 +
 members/moremember.pl                              |   10 +++++++++
 tools/picture-upload.pl                            |   23 ++++++++++++++++++++
 4 files changed, 36 insertions(+), 1 deletion(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list