[koha-commits] main Koha release repository branch 17.05.x updated. v17.05.00-14-g2d1dad1

Git repo owner gitmaster at git.koha-community.org
Fri Jun 9 16:42:53 CEST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 17.05.x has been updated
       via  2d1dad1a4afa1bfaa14715b7953ed8265dbdb398 (commit)
      from  14e84e422ee5c454e2bce341a124330b047deb63 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2d1dad1a4afa1bfaa14715b7953ed8265dbdb398
Author: Marc Véron <veron at veron.ch>
Date:   Tue May 23 07:08:41 2017 +0200

    Bug 18653: Possible privacy breach with OPAC password recovery
    
    OPAC password recovery allows to find out which email address belongs to an account. An attacker could systematically guess login names. If they hit an existing one, OPAC displays a message like:
    An email has been sent to "xxx at yyy.zz".
    
    Having a combination of login name and email, attackers could use the information e.g. for phishing or other personalized actions.
    
    To reproduce:
    - Enable OPAC password recovery (syspref OpacResetPassword)
    - 'Guess' a login name e.g. by using a common pattern like ptester for Peter Tester
    - If such account exists, you get to know the related email address
    
    This patch removes the email address from the success message. Additionaly, it changes
    wording to address Bug 18570 ('will be sent' instead of 'has been sent')
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Simplified the wording. "Will be sent shortly" is used elsewhere too.
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    (cherry picked from commit eddf975cf0244c731f987c64af5126090f73f9f2)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list