[koha-commits] main Koha release repository branch master updated. v16.11.00-606-gfbbd4b4

Git repo owner gitmaster at git.koha-community.org
Thu Mar 23 16:47:00 CET 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  fbbd4b40f0d71b79194fc186e66f985488be26c6 (commit)
       via  5508897d5a2b73c30d50fed26a6bfed62bf49398 (commit)
      from  a6f50cbcb92c2575eb31e906ea54bf0386654906 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fbbd4b40f0d71b79194fc186e66f985488be26c6
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date:   Sun Jan 29 15:40:14 2017 +0100

    Bug 18010: Remove potential exposure from gettemplate
    
    A similar bad template check from C4::Auth::get_template_and_user
    should be applied in C4::Templates::gettemplate.
    
    Before this patch it would be possible to expose files like:
    my $template = C4::Templates::gettemplate(
        '/etc/passwd', 'intranet', CGI::new, 1
    );
    print $template->output;
    
    Note that the is_plugin flag in the above call is the culprit. This patch
    provides a quick security fix without touching get_template_and_user, and
    can be backported to stable branches.
    I will provide an enhanced and centralized check on report 17989, also
    removing the is_plugin flag.
    
    Note: We allow .pref here too for use in admin/preferences.pl.
    
    Test plan:
    [1] Run t/db_dependent/Auth.t (triggering get_template_and_user and
        gettemplate).
    [2] Run t/db_dependent/Templates.t again (see first test plan).
        The tests should no longer fail.
    [3] Open a page on opac or intranet.
    [4] Open a systempreferences tab.
    [5] Add a book to the cart and send it ([opac-]sendbasket uses gettemplate).
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Brendan A Gallagher <brendan at bywatersolutions.com>

commit 5508897d5a2b73c30d50fed26a6bfed62bf49398
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date:   Sun Jan 29 15:52:22 2017 +0100

    Bug 18010: Unit test for gettemplate
    
    A trivial test, similar to the ones in Auth.t.
    Without the check in gettemplate (added in the second patch), the passwd
    file will be exposed and the test fails.
    
    Test plan:
    Run t/db_dependent/Templates.t without second patch. The two tests in the
    last subtest should fail.
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Brendan A Gallagher <brendan at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 C4/Templates.pm            |    1 +
 t/db_dependent/Templates.t |   11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list