[koha-commits] main Koha release repository branch 16.05.x updated. v16.05.08-19-g0a33668
Git repo owner
gitmaster at git.koha-community.org
Tue Jan 31 00:06:39 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 16.05.x has been updated
via 0a336684d6dfd1049591e1e5a0f7fae2c68b2385 (commit)
via 635455cb00b2358eecb79f0516a0b9db2beb760a (commit)
via ab7e841d4f713c784a853d009df420fe707f4aa0 (commit)
via 22ccccc0bf514b232c30b533591f8c6378e46b2e (commit)
via c17572622d0209f8fd07902c6725e38bce18d383 (commit)
via b00d4dc2e01f9a1f9f28f8e68a5fc70d057657a3 (commit)
via 6c36b83ad7c2727367d75cfbfcc47c5ce9ea8c5b (commit)
via 1db4fba39258901c2a97574e6f263d0b86b2ac8a (commit)
via 99a2c87fc1fe730a428fa5080ac0167656c718f5 (commit)
via f68e2f242faaab5f01e1c215003f63b8a22168b6 (commit)
via 6185e0b62d015929035dcd42c45542014fd90d99 (commit)
via 29f1280ff043c5020b30738735061cbbacc1a74f (commit)
via f78a0c4eadf638ff8becdd63881165f807c00f85 (commit)
via b83d727215a7c7f6711fe6adcfcd268887c49328 (commit)
via b4f9173a98535eefeabbd5c8c4435abaaa1ac2e1 (commit)
via 2367660e9dbc2052b2690a2c939d2a441863fbc0 (commit)
via d9ca2a9dfc6321a875af7a7ddad7e16dcee5f6b9 (commit)
via ede73c80c6e20942f5f3dad656c7dfa177c8fc8a (commit)
from b3d40aae336021b2a6bac5ab1105efaa79cceedb (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0a336684d6dfd1049591e1e5a0f7fae2c68b2385
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Mon Jan 30 16:47:23 2017 +0100
Bug 17902: Follow-up fixing SQL statement
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 40cb8e3b7579987d0d461e8da6e350228722727c)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 635455cb00b2358eecb79f0516a0b9db2beb760a
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Jan 10 18:06:51 2017 +0100
Bug 17902: Fix possible SQL injection in serials editing
/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*
The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit ab7e841d4f713c784a853d009df420fe707f4aa0
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Jan 19 11:46:21 2017 +0100
Bug 9569: Security patch for AutoLocation
If a patron is not allowed to access the staff interface because its IP
address in the authorised range of IPs, the cookie should not contain
the CGISESSID.
If it is, the patron is logged in and will be able to access the staff
interface if he reload the page (or hit another one).
Test plan:
Confirm the that AutoLocation feature is now working as expected.
Note: It seems that this feature has never really worked as intended.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
commit 22ccccc0bf514b232c30b533591f8c6378e46b2e
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Jan 19 10:00:40 2017 +0100
Bug 9569: Update warning message
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
commit c17572622d0209f8fd07902c6725e38bce18d383
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 14:01:40 2016 +0100
Bug 9569: Do not check the IP for login at the OPAC
At the OPAC, the AutoLocation feature should not be taken into account:
login to the OPAC from outside the IP range should work
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
commit b00d4dc2e01f9a1f9f28f8e68a5fc70d057657a3
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 13:56:25 2016 +0100
Bug 9569: Remove unused occurrence of AutoLocation
`git grep ManualLocation` does not return any results
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
commit 6c36b83ad7c2727367d75cfbfcc47c5ce9ea8c5b
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 13:56:19 2016 +0100
Bug 9569: AutoLocation should not depend on IndependentBranches
Those 2 prefs can be independent and it does not make sense to consider
AutoLocation only if IndependentBranches is set.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 1db4fba39258901c2a97574e6f263d0b86b2ac8a
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 14:02:58 2016 +0100
Bug 9569: Fix AutoLocation - handle .* for subnets
The example in branches.tt is:
Can be entered as a single IP, or a subnet such as 192.168.1.*
But actually the regex in C4::Auth does not handle subnets.
Test plan:
0/ Apply all the patches
1/ Switch AutoLocation on
2/ Define a subnet (192.168.0.* if your ip is like 192.168.0.X) in the IP
range of your library
3/ Log in on the staff interface
=> Should work
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 99a2c87fc1fe730a428fa5080ac0167656c718f5
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 16:19:45 2017 +0100
Bug 17905: FIX CSRF in member-flags
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible
The exploit can be simulated triggering
/cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian
Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 0c3c162f767f5587f5fad7375151f8efca3689b3)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit f68e2f242faaab5f01e1c215003f63b8a22168b6
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 16:40:59 2017 +0100
Bug 17903: Fix possible SQL injection in serial claims
To recreate:
/cgi-bin/koha/serials/claims.pl?serialid=1)and%20(select*from(select(sleep(20)))a)--%20&letter_code=0
Notice the delay.
The SQL query is not constructed correctly, placeholders must be used.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 6185e0b62d015929035dcd42c45542014fd90d99
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:07:34 2017 +0100
Bug 17901: Force context to scalar
See bug 15809 for more references.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit cb4fa17a2712d04590d218635913bfe794510615)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit 29f1280ff043c5020b30738735061cbbacc1a74f
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:03:41 2017 +0100
Bug 17901: Fix possible SQL injection in shelf editing
It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1
Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.
However it would be good to limit the possible values for sortfield.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 45cffd874c62c7b090390c5fb3c955c31f524608)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit f78a0c4eadf638ff8becdd63881165f807c00f85
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 27 10:01:42 2017 +0100
Bug 17900: Update the tests to the new API
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit 42460b871472d2a408bc38a747fd375062af4d7e)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit b83d727215a7c7f6711fe6adcfcd268887c49328
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 17:43:25 2017 +0100
Bug 17900: Fix possible SQL injection in patron cards template editing
To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20
Look at the Profile dropdown list.
To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.
Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.
This vulnerability has been reported by MDSec.
Signed-off-by: Chris Cormack <chris at bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
(cherry picked from commit a70980d8255a66c33539926796c06b29b26fbb40)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
commit b4f9173a98535eefeabbd5c8c4435abaaa1ac2e1
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Jan 25 11:33:43 2017 +0100
Bug 17990: Refactor Perl module versions check
The code is duplicated, variable are not set ($_), code is hard to read,
not covered by tests and the subroutine has 2 completely different
behaviors depending on the presence of the "module" parameter.
No need more ti rewrite it.
Test plan:
- Use koha_perl_deps.pl with the different options (-u -m -a -i)
- Go on the about page, "Perl modules" tab
You should not see any differences from before and after this patch
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 2367660e9dbc2052b2690a2c939d2a441863fbc0
Author: David Cook <dcook at prosentient.com.au>
Date: Wed Jan 25 09:58:40 2017 +1100
Bug 17986: Perl dependency evaluation incorrect
It looks like I made a copy/paste error in a previous patch.
While the fix was working when you pass the param "module" to
version_info, it wasn't populating the version correctly
for the "all" param, which causes koha_perl_deps.pl to
think all OK modules actually need an upgrade.
TEST PLAN
0) Be on a system where you know your Koha Perl dependencies are
mostly up-to-date
1) Run ./koha_perl_deps.pl -a -c
2) Note that most modules say they need an upgrade even when
the installed version is the same as the minimum version
3) Apply patch
4) Run ./koha_perl_deps.pl -a -c
5) Note that most moduls say they're OK, especially when the
installed version is the same or greater than the minimum version
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Running koha_perl_deps.pl -u convinced me.
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit d9ca2a9dfc6321a875af7a7ddad7e16dcee5f6b9
Author: David Cook <dcook at prosentient.com.au>
Date: Thu Jan 12 11:15:22 2017 +1100
Bug 17880 - Use version.pm to parse version numbers in C4::Installer::PerlModules
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit ede73c80c6e20942f5f3dad656c7dfa177c8fc8a
Author: David Cook <dcook at prosentient.com.au>
Date: Thu Jan 12 11:14:34 2017 +1100
Bug 17880 - Add test to check version number comparison
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Mason James <mtj at kohaaloha.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 11 ++-
C4/Creators/Lib.pm | 56 +++++++++-----
C4/Installer/PerlModules.pm | 80 +++++++++++---------
C4/Letters.pm | 6 +-
C4/Serials.pm | 13 ++--
about.pl | 2 +-
circ/circulation.pl | 5 --
installer/install.pl | 2 +-
koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 24 +++---
.../prog/en/modules/circ/circulation-home.tt | 2 +-
.../prog/en/modules/members/member-flags.tt | 1 +
koha_perl_deps.pl | 2 +-
labels/label-edit-profile.pl | 2 +-
labels/label-edit-template.pl | 4 +-
labels/label-manage.pl | 8 +-
labels/label-print.pl | 4 +-
members/member-flags.pl | 17 +++++
opac/opac-shelves.pl | 16 ++--
patroncards/edit-profile.pl | 2 +-
patroncards/edit-template.pl | 2 +-
patroncards/manage.pl | 8 +-
patroncards/print.pl | 4 +-
t/Installer_PerlModules.t | 52 +++++++++++--
t/Installer_pm.t | 6 +-
t/db_dependent/Creators/Lib.t | 28 +++----
virtualshelves/shelves.pl | 5 +-
26 files changed, 223 insertions(+), 139 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list