[koha-commits] main Koha release repository branch 3.22.x updated. v3.22.18-5-g093f902
Git repo owner
gitmaster at git.koha-community.org
Fri Mar 31 15:20:17 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.22.x has been updated
via 093f902eafe4f721f88445ee3f5ef440c9768f30 (commit)
via 65b29fdda57d66d8beb105ecaca4fe7eaa1fab50 (commit)
from f23c9225406f8ab61da7c0560e4c56ec4065a601 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 093f902eafe4f721f88445ee3f5ef440c9768f30
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Sun Jan 29 15:40:14 2017 +0100
Bug 18010: Remove potential exposure from gettemplate
A similar bad template check from C4::Auth::get_template_and_user
should be applied in C4::Templates::gettemplate.
Before this patch it would be possible to expose files like:
my $template = C4::Templates::gettemplate(
'/etc/passwd', 'intranet', CGI::new, 1
);
print $template->output;
Note that the is_plugin flag in the above call is the culprit. This patch
provides a quick security fix without touching get_template_and_user, and
can be backported to stable branches.
I will provide an enhanced and centralized check on report 17989, also
removing the is_plugin flag.
Note: We allow .pref here too for use in admin/preferences.pl.
Test plan:
[1] Run t/db_dependent/Auth.t (triggering get_template_and_user and
gettemplate).
[2] Run t/db_dependent/Templates.t again (see first test plan).
The tests should no longer fail.
[3] Open a page on opac or intranet.
[4] Open a systempreferences tab.
[5] Add a book to the cart and send it ([opac-]sendbasket uses gettemplate).
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan at bywatersolutions.com>
(cherry picked from commit fbbd4b40f0d71b79194fc186e66f985488be26c6)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
(cherry picked from commit 74fe3f5cda7cac22640f9ae3d68b3d62a6765dc0)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
commit 65b29fdda57d66d8beb105ecaca4fe7eaa1fab50
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Sun Jan 29 15:52:22 2017 +0100
Bug 18010: Unit test for gettemplate
A trivial test, similar to the ones in Auth.t.
Without the check in gettemplate (added in the second patch), the passwd
file will be exposed and the test fails.
Test plan:
Run t/db_dependent/Templates.t without second patch. The two tests in the
last subtest should fail.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan at bywatersolutions.com>
(cherry picked from commit 5508897d5a2b73c30d50fed26a6bfed62bf49398)
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Conflicts:
t/db_dependent/Templates.t
(cherry picked from commit 1161a67476b5b61358fdaecca57b012e663a7b02)
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Templates.pm | 1 +
t/db_dependent/Templates.t | 14 +++++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list