[koha-commits] main Koha release repository branch master updated. v16.11.00-334-g42460b8

Git repo owner gitmaster at git.koha-community.org
Mon Jan 30 15:24:14 CET 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  42460b871472d2a408bc38a747fd375062af4d7e (commit)
       via  a70980d8255a66c33539926796c06b29b26fbb40 (commit)
      from  4ff78a9a0da486d7f267d1e252f3628ec1a5f149 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 42460b871472d2a408bc38a747fd375062af4d7e
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Jan 27 10:01:42 2017 +0100

    Bug 17900: Update the tests to the new API
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

commit a70980d8255a66c33539926796c06b29b26fbb40
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Jan 13 17:43:25 2017 +0100

    Bug 17900: Fix possible SQL injection in patron cards template editing
    
    To recreate:
    /cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20
    
    Look at the Profile dropdown list.
    
    To fix this problem and to make sure it does not appears anywhere else
    in the label and patroncards modules, I have refactored the way the
    queries are built in C4::Creators::Lib
    Now all of the subroutine takes a hashref in parameters with a 'fields'
    and 'filters' parameters.
    From these 2 parameters the new internal subroutine _build_query will
    build the query and use placeholders.
    
    Test plan:
    1/ Make sure you do not recreate the vulnerability with this patch
    applied.
    2/ With decent data in the labels and patroncards modules, compare all
    the different view (undef the New and Manage button groups) with and
    without this patch applied.
    => You should not see any differences.
    
    This vulnerability has been reported by MDSec.
    
    Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 C4/Creators/Lib.pm            |   56 +++++++++++++++++++++++++----------------
 labels/label-edit-profile.pl  |    2 +-
 labels/label-edit-template.pl |    4 +--
 labels/label-manage.pl        |    8 +++---
 labels/label-print.pl         |    4 +--
 patroncards/edit-profile.pl   |    2 +-
 patroncards/edit-template.pl  |    2 +-
 patroncards/manage.pl         |    8 +++---
 patroncards/print.pl          |    4 +--
 t/db_dependent/Creators/Lib.t |   28 ++++++++++-----------
 10 files changed, 66 insertions(+), 52 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list