[koha-commits] main Koha release repository branch 3.22.x updated. v3.22.15-11-g72d905d
Git repo owner
gitmaster at git.koha-community.org
Mon Jan 30 16:34:11 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.22.x has been updated
via 72d905d8dc0547c0ecff34b99eacaf43ea37c4c9 (commit)
via b5b633b9eb4678193152bac4cb18778d1e127566 (commit)
from 23d3ca374fe2940ba016612f41310b539ce4e0c8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 72d905d8dc0547c0ecff34b99eacaf43ea37c4c9
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 27 10:01:42 2017 +0100
Bug 17900: Update the tests to the new API
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 42460b871472d2a408bc38a747fd375062af4d7e)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
commit b5b633b9eb4678193152bac4cb18778d1e127566
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:43:25 2017 +0100
Bug 17900: Fix possible SQL injection in patron cards template editing
To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20
Look at the Profile dropdown list.
To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.
Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.
This vulnerability has been reported by MDSec.
Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit a70980d8255a66c33539926796c06b29b26fbb40)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Creators/Lib.pm | 56 +++++++++++++++++++++++++----------------
labels/label-edit-profile.pl | 2 +-
labels/label-edit-template.pl | 4 +--
labels/label-manage.pl | 8 +++---
labels/label-print.pl | 4 +--
patroncards/edit-profile.pl | 2 +-
patroncards/edit-template.pl | 2 +-
patroncards/manage.pl | 8 +++---
patroncards/print.pl | 4 +--
t/db_dependent/Creators/Lib.t | 28 ++++++++++-----------
10 files changed, 66 insertions(+), 52 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list