[koha-commits] main Koha release repository branch master updated. v17.05.00-453-g36ba8be
Git repo owner
gitmaster at git.koha-community.org
Tue Aug 29 17:05:04 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 36ba8be88a9543942102580f2b1abe1e5e108c35 (commit)
via 8534ca278022e82f55b1907bac31afa7e86b9d5f (commit)
via d31c635fe2cc6d0b715661d35a02723a48e42e2b (commit)
via d4b588aca834a94ed9fa6b5af2f8b1c1cbed2667 (commit)
via 73a66ccaf47f8815bbe74326dbe24dba915456fb (commit)
via 6b3449627fe53851b92428e57bb12d6c6492e2b9 (commit)
via fd44f2fed7415feb8605c94b7c533dcd48d27b15 (commit)
via fbdfbc64f0301df4c69b3112f0512ff07e6a61ed (commit)
via 8c3da351307be664a879148ce4ca9215ca1c2da7 (commit)
via 4b11d0c8627d31ad026c7494852cd25db0a5295c (commit)
via 7e9a71a43851d8b2a67577a83c8d7d2e68efcf8e (commit)
via 46b0b0a75b01d700ec02c458896c27760e604465 (commit)
via 3f7fc907ba9bf5cc2a077e541646118a213c8563 (commit)
via e0dd5666341940b6310ac0c8c05e0f594b5386eb (commit)
via c57d0b71c7b9bac44cd79c822e3009136bbf25fe (commit)
via 861cec577317d4ef56cdad23afc94a7d1968c1c9 (commit)
via 9f19d3d44c410be80bf8fd468b86ac7f7d9d4bcd (commit)
via 92d58c60b0fa20a4c1e67edaf6cd4be50dcdce21 (commit)
via 0cf9eb0cfbedf7a5a852b86a6e4e6ce4fbc43c14 (commit)
via 3199cff63924520a4cc4564f3590427dbed867f8 (commit)
via 1a7040b7b0596a25a988568f0da0b47dd12c9f28 (commit)
via ee3bfd5d69f8f649c74e58385b8180faade875d0 (commit)
via f94162564ad57ac9747d3967ba6671d982545dbc (commit)
from ea886885d0efa0200cfa166453a4495692afc4d4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 36ba8be88a9543942102580f2b1abe1e5e108c35
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 08:33:41 2017 +0530
Bug 19035 - Stored XSS in lists.pl
To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 8534ca278022e82f55b1907bac31afa7e86b9d5f
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 20:58:34 2017 +0530
Bug 19114 - Stored XSS in parcels.pl
Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit d31c635fe2cc6d0b715661d35a02723a48e42e2b
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 19:51:48 2017 +0530
Bug 19112 - Stored XSS in basketheader.pl page
To Test
1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.
Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit d4b588aca834a94ed9fa6b5af2f8b1c1cbed2667
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 15:00:55 2017 +0530
Bug 19110 - XSS Stored in branches.pl
To Test
1. Hit the page /cgi-bin/koha/admin/branches.pl?op=add_form_category
2. Add a text in the field Name and description that contains js.
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for js escaped execute for both pages
1. /cgi-bin/koha/admin/branches.pl?op=delete_confirm&branchcode=xx
xx is branchcode
2. /cgi-bin/koha/admin/branches.pl?op=add_form with Group(s):
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 73a66ccaf47f8815bbe74326dbe24dba915456fb
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 23:22:32 2017 +0530
Bug 19100 - XSS Flaws in memberentry.pl
1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid.
5. Notice it is no longer executed.
NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 6b3449627fe53851b92428e57bb12d6c6492e2b9
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 09:23:13 2017 +0530
Bug 19105 - XSS Stored in holidays.pl
To Test
1. Hit the page /cgi-bin/koha/tools/holidays.pl
2. Select the date
3. Add a text in the field Title and Description that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed for all holidays
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit fd44f2fed7415feb8605c94b7c533dcd48d27b15
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 22:58:02 2017 +0530
Bug 16069 - XSS issue in basket.pl page
1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx<script>alert('amit')</script>
xx - is a basketno
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx<script>alert('amit')</script>
xx - is a basketno.
5. Notice it is no longer executed.
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit fbdfbc64f0301df4c69b3112f0512ff07e6a61ed
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Fri Aug 11 21:08:14 2017 +0530
Bug 19079 - XSS Flaws in Membership page
1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 8c3da351307be664a879148ce4ca9215ca1c2da7
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Fri Aug 4 09:44:52 2017 +0530
Bug 19033: XSS Flaws in Currencies and exchange page
1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Fixes the issue, follows common practice on the codebase.
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 4b11d0c8627d31ad026c7494852cd25db0a5295c
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 15 13:26:12 2017 -0300
Bug 19034: (followup 2) Fix letters.tt XSS flaw
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 7e9a71a43851d8b2a67577a83c8d7d2e68efcf8e
Author: Tomas Cohen Arazi <tomascohen at theke.io>
Date: Mon Aug 7 11:27:33 2017 -0300
Bug 19034: (followup) Fix letters.tt XSS flaw
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 46b0b0a75b01d700ec02c458896c27760e604465
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Fri Aug 4 10:41:49 2017 +0530
Bug 19034: XSS Flaws in Z39.50/SRU servers administration
1. Hit /cgi-bin/koha/admin/z3950servers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search Z39.50/SRU servers box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search Z39.50/SRU servers box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 3f7fc907ba9bf5cc2a077e541646118a213c8563
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Fri Aug 4 10:38:12 2017 +0530
Bug 19034: XSS Flaws in Cities
1. Hit /cgi-bin/koha/admin/cities.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search cities box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search cities box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit e0dd5666341940b6310ac0c8c05e0f594b5386eb
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Fri Aug 4 10:34:19 2017 +0530
Bug 19034: XSS Flaws in Patron categories pages
1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit c57d0b71c7b9bac44cd79c822e3009136bbf25fe
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 20:49:56 2017 +0530
Bug 19050 - XSS Flaws in Quick spine label creator
1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 861cec577317d4ef56cdad23afc94a7d1968c1c9
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 21:43:56 2017 +0530
Bug 19051 - XSS Flaws in - Batch item modification page
1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 9f19d3d44c410be80bf8fd468b86ac7f7d9d4bcd
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 21:24:44 2017 +0530
Bug 19051 - XSS Flaws in Batch item deletion page
1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 92d58c60b0fa20a4c1e67edaf6cd4be50dcdce21
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 21:08:36 2017 +0530
Bug 19051 - XSS Flaws in - Batch record deletion page
1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 0cf9eb0cfbedf7a5a852b86a6e4e6ce4fbc43c14
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 22:17:14 2017 +0530
Bug 19052 - XSS Flaws in - Invoice search page
1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 3199cff63924520a4cc4564f3590427dbed867f8
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 22:04:30 2017 +0530
Bug 19052 - XSS Flaws in vendor search page
1. Hit /cgi-bin/koha/acqui/booksellers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> vendor search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on vendor search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 1a7040b7b0596a25a988568f0da0b47dd12c9f28
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Mon Aug 7 22:34:05 2017 +0530
Bug 19054 - XSS Flaws in Report - Top Most-circulated items
1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ee3bfd5d69f8f649c74e58385b8180faade875d0
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Thu Aug 10 21:51:38 2017 +0530
Bug 19078 - XSS Flaws in System preferences
1. Hit /cgi-bin/koha/admin/preferences.pl
2. Enter <script>alert('amit')</script> in search system preferences box.
3. Notice the java script is executed.
4. Apply patch.
5. Reload page, and enter <script>alert('amit')</script> in search system preferences box.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit f94162564ad57ac9747d3967ba6671d982545dbc
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Aug 9 14:08:24 2017 -0300
Bug 18726: Fix XSS at the OPAC - biblionumber
The biblionumber parameter is sent by the user, we must escape all of
them to avoid XSS.
Fixes: Cross-site scripting OPAC pages
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
-----------------------------------------------------------------------
Summary of changes:
.../intranet-tmpl/prog/en/modules/acqui/basket.tt | 14 ++++----
.../prog/en/modules/acqui/basketheader.tt | 8 ++---
.../prog/en/modules/acqui/booksellers.tt | 4 +--
.../prog/en/modules/acqui/invoices.tt | 24 +++++++-------
.../prog/en/modules/acqui/orderreceive.tt | 4 +--
.../intranet-tmpl/prog/en/modules/acqui/parcel.tt | 6 ++--
.../intranet-tmpl/prog/en/modules/acqui/parcels.tt | 2 +-
.../prog/en/modules/admin/branches.tt | 14 ++++----
.../prog/en/modules/admin/categories.tt | 2 +-
.../intranet-tmpl/prog/en/modules/admin/cities.tt | 2 +-
.../prog/en/modules/admin/currency.tt | 2 +-
.../prog/en/modules/admin/preferences.tt | 2 +-
.../prog/en/modules/admin/z3950servers.tt | 2 +-
.../prog/en/modules/labels/spinelabel-print.tt | 2 +-
.../prog/en/modules/members/memberentrygen.tt | 2 +-
.../prog/en/modules/patron_lists/list.tt | 4 +--
.../prog/en/modules/patron_lists/lists.tt | 2 +-
.../prog/en/modules/reports/cat_issues_top.tt | 2 +-
.../prog/en/modules/tools/batchMod-del.tt | 2 +-
.../prog/en/modules/tools/batchMod-edit.tt | 2 +-
.../prog/en/modules/tools/batch_delete_records.tt | 4 +--
.../prog/en/modules/tools/holidays.tt | 24 +++++++-------
.../intranet-tmpl/prog/en/modules/tools/letter.tt | 4 +--
.../bootstrap/en/includes/opac-bottom.inc | 6 ++--
.../bootstrap/en/includes/opac-detail-sidebar.inc | 14 ++++----
.../bootstrap/en/modules/opac-ISBDdetail.tt | 2 +-
.../bootstrap/en/modules/opac-MARCdetail.tt | 12 +++----
.../bootstrap/en/modules/opac-alert-subscribe.tt | 10 +++---
.../opac-tmpl/bootstrap/en/modules/opac-detail.tt | 34 ++++++++++----------
.../en/modules/opac-full-serial-issues.tt | 6 ++--
.../bootstrap/en/modules/opac-serial-issues.tt | 2 +-
members/moremember.pl | 2 ++
32 files changed, 112 insertions(+), 110 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list