[koha-commits] main Koha release repository branch master updated. v16.11.00-725-gd2ee53f

Git repo owner gitmaster at git.koha-community.org
Fri Mar 31 15:49:02 CEST 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  d2ee53fb5f90277d47fc56667e71018f5d9b88a9 (commit)
       via  5a7dc0749f581e4c4bc6ec68d3f3ab6bac12afd5 (commit)
      from  f454013ec9beb8f6e4c382253b76bfac5ca65244 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d2ee53fb5f90277d47fc56667e71018f5d9b88a9
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date:   Thu Mar 30 10:20:30 2017 +0200

    Bug 18019: [QA Follow-up] Also catch the delete from authorities detail
    
    Good catch from Jonathan. See comment11.
    Authorities detail should pass a CSRF token to authorities-home when
    deleting a record without linked biblios.
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    Passing the token with GET is not a good way to do, but nothing quick to
    replace that.
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

commit 5a7dc0749f581e4c4bc6ec68d3f3ab6bac12afd5
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date:   Tue Feb 7 09:09:33 2017 +0100

    Bug 18019: Add CSRF protection to authorities-home.pl (op==delete)
    
    Without this patch, it is possible to delete authority records with URL
    manipulation.
    Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX]
    
    Test plan:
    [1] Go to Authorities. Search for some authorities (without links).
    [2] Delete an authority. Should work.
    [3] Apply patch.
    [4] Construct an URL like above to delete another authority. Should fail.
        Under Plack this results in an internal server error, the log tells
        you: Wrong CSRF token.
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    
    Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
    Amended the test plan.
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 authorities/authorities-home.pl                           |   13 +++++++++++++
 authorities/detail.pl                                     |    2 ++
 .../intranet-tmpl/prog/en/modules/authorities/detail.tt   |    2 +-
 .../prog/en/modules/authorities/searchresultlist.tt       |    3 ++-
 4 files changed, 18 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list