[koha-commits] main Koha release repository branch master updated. v16.11.00-648-g574d483
Git repo owner
gitmaster at git.koha-community.org
Thu Mar 30 11:47:56 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 574d48362d32c14920712ae35bdd28101785315c (commit)
via 7190593d9dd38001c2d101bcad5cddc222a45ebe (commit)
via 3562816dd1b8855c7973ce5650ff834407c1a548 (commit)
from 8dad1582c100017f8ad3e331c9a9b9cc9ed4e4d6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 574d48362d32c14920712ae35bdd28101785315c
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Feb 15 17:14:13 2017 +0100
Bug 18124: Change the calls to generate and check CSRF tokens
The parameter change in Koha::Token should be applied to the calling
scripts.
Test plan:
Confirm that the different forms of the scripts modified by this patch
still work correctly.
Test the problematic behavior:
Open 2 tabs with in same user's session, go on the edit patron page
(memberentry.pl).
Log out and log in from the other tab.
Submit the form
=> Wrong CSRF token should be raised
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit 7190593d9dd38001c2d101bcad5cddc222a45ebe
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Thu Feb 16 11:59:12 2017 +0100
Bug 18124: [Follow-up] Handle default parameters in a sub
Adds a internal routine to handle default values for the parameters
id and secret.
Also adds a parameter session_id for generate_csrf and check_csrf. This
session parameter is combined with the id parameter when generating or
checking a token.
Test plan:
Run t/Token.t
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit 3562816dd1b8855c7973ce5650ff834407c1a548
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Feb 15 17:14:13 2017 +0100
Bug 18124: Restrict CSRF token to user's session
Currently the CSRF token generated is based on the borrowernumber, and
is valid across user's session.
We need to restrict the CSRF token to the current session.
With this patch the CSRF token is generated concatenating the id
(borrowernumber) and the CGISESSID cookie.
Test plan:
Run t/Token.t
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
Koha/Token.pm | 35 ++++++++++++++++++++++++++++-----
basket/sendbasket.pl | 10 ++--------
members/deletemem.pl | 13 +++---------
members/member-flags.pl | 11 ++---------
members/member-password.pl | 11 ++---------
members/memberentry.pl | 13 +++---------
members/moremember.pl | 7 +------
opac/opac-memberentry.pl | 13 ++++--------
opac/opac-sendbasket.pl | 11 +++--------
t/Token.t | 47 +++++++++++++++++++++++++++++++++++++-------
tools/import_borrowers.pl | 9 ++-------
tools/picture-upload.pl | 11 +++--------
12 files changed, 95 insertions(+), 96 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list