[koha-commits] main Koha release repository branch 16.05.x updated. v16.05.11-110-g81425d1
Git repo owner
gitmaster at git.koha-community.org
Wed May 3 17:16:33 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 16.05.x has been updated
via 81425d15cb7c7f5f5876eb2e2ff1daabd9f9323d (commit)
via db88517d2434bccad700b9692ca6db68e4210ce1 (commit)
via f028eb20b6fcc2b8976a191bb37d9db04dd6ed1b (commit)
via 3a6a9f761cdf27d3960df530d64dd88c60d44612 (commit)
via 8aa1e40953960adfdc3d8cbde76f61903846d99c (commit)
via e1a72e9d21a1fab90257b5fde4579e2b6c6a6ee9 (commit)
via fd5e11dad2a5c918651ca895c781d5f3b6fdf2d8 (commit)
via f2e37db0ff75c59933ff37ed8a4aa92930b95ce2 (commit)
via 5a627a355e63d932f3d16114529e4f548915d3eb (commit)
via c55b093e79d404ff674dcccdb032a2d74cc398b9 (commit)
via e1294b6d91087b5d1050df623e5000cc46eb39c4 (commit)
via cf3b67032e0577ba6f93fd123d5f533da6893595 (commit)
via a8cd63919cd29f30b242fea8719f3e506296e5f3 (commit)
via 08ec3cd0d0aedd3996938e1fb55d7ae855278d7a (commit)
via a0b7acfae15efb6bf120a8b62daf55eff72b56a0 (commit)
via 7580cbda9e78ca6da0dc717f2a190a21ffc34468 (commit)
via e628d013cd43aebfa48f591f3c7b0c01c06ac79a (commit)
via c6d7fd2dd3a088eb4f5a0ad79b45cff2e257de32 (commit)
via a6f3a107f1f9dd1a116422e63802f1a322beb364 (commit)
via 7cac8af04a988a00adc92e8db0b306f0afa94e3f (commit)
from b4e98fb723f163efef512ba2f905fa4d565480c9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 81425d15cb7c7f5f5876eb2e2ff1daabd9f9323d
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Feb 14 15:22:40 2017 +0000
Bug 18094: Only search in searchable patron attributes if searching in standard fields
Test plan:
- Add a new patron attrbute and mark it searchable
- Populate a new patron with 'potato' in that field
- Add/edit another patron to have email potato at invalidemail.com'
- Perform a patron search with query 'potato' (in standard fields)
=> Both patrons are returned
- Perform a patron search with filters 'Email' and query 'potato'
=> Only 1 patron is returned and you are redirected to the patron detail page.
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit db88517d2434bccad700b9692ca6db68e4210ce1
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Feb 14 16:19:25 2017 +0100
Bug 18094: Add tests to highlight the problem
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit f028eb20b6fcc2b8976a191bb37d9db04dd6ed1b
Author: Mason James <mtj at kohaaloha.com>
Date: Wed May 3 20:20:50 2017 +1200
revert buggy CSRF in opac/opac-memberentry.pl
commit 3a6a9f761cdf27d3960df530d64dd88c60d44612
Author: Mason James <mtj at kohaaloha.com>
Date: Wed May 3 16:00:25 2017 +1200
Revert "Bug 18307 - Branchname is no longer displayed in subscription tab view"
This reverts commit 719dc345f4d38b1e34ef2318f472e4757709a647.
commit 8aa1e40953960adfdc3d8cbde76f61903846d99c
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Aug 18 15:52:38 2016 +0100
Bug 17146: Fix CSRF in picture-upload.pl
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42
Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.
Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit e1a72e9d21a1fab90257b5fde4579e2b6c6a6ee9
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Aug 12 11:36:06 2016 +0100
Bug 17116: Fix CSRF in import_borrowers.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' information
The exploit can be simulated triggering
/tools/import_borrowers.pl?uploadborrowers=42
In that case it won't do anything wrong, but it you POST a valid file,
it could.
Test plan:
Trigger the url above
=> Without this patch, you will the result page
=> With this patch, you will get the "Wrong CSRF token" error.
Regression test:
Import a valid file from the import patron form, everything should go
fine.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit fd5e11dad2a5c918651ca895c781d5f3b6fdf2d8
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Tue Aug 16 14:20:36 2016 +0200
Bug 17109: [QA Follow-up] Die when wrong token
Removes template var csrf_error and associated handling.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Restested with opac and intranet: Still sends or dies elegantly..
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit f2e37db0ff75c59933ff37ed8a4aa92930b95ce2
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Aug 12 08:29:42 2016 +0200
Bug 17109: Use Koha.Preference in sendbasket template
No need to send OPACBaseURL to the template, if you load the Koha TT
plugin inside the template.
Test plan:
Send a few items in your cart from OPAC and intranet.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 5a627a355e63d932f3d16114529e4f548915d3eb
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Thu Aug 11 14:17:14 2016 +0200
Bug 17109: Add CSRF token to [opac-]sendbasket
If you have no (valid) token, you will not be able to send the message.
Test plan:
[1] Verify if you can still send the cart from opac and intranet.
[2] While still being logged in, try to send the cart from opac by
using the following URL:
/cgi-bin/koha/opac-sendbasket.pl?email_add=you at somedomain.com&comment=csrf_test&bib_list=doesnotmatter&csrf_token=justsomeguess12345
This should now result in a csrf error.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit c55b093e79d404ff674dcccdb032a2d74cc398b9
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Thu Aug 11 13:10:21 2016 +0200
Bug 17109: Remove second authentication from (opac-)sendbasket
Patch deals with opac and intranet variant.
If we authenticated the first time, it is not necessary to do it
a second time rightaway.
Replaces a call to get_template_and_user (including checkauth) by
gettemplate.
Also removes duplicate use C4::Biblio statements.
Test plan:
[1] Put a few books in the cart.
[2] Send the cart from OPAC.
[3] Send the cart from intranet.
Tested 3 patches together. Works as expected.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit e1294b6d91087b5d1050df623e5000cc46eb39c4
Author: Mason James <mtj at kohaaloha.com>
Date: Wed May 3 14:07:02 2017 +1200
Bug 18124: add to members/deletemem.pl
commit cf3b67032e0577ba6f93fd123d5f533da6893595
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Aug 12 09:15:01 2016 +0200
Bug 17097: [QA Follow-up] Exit after redirect
Adds one exit statement, and some whitespace.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Verified deleting a patron again.
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit a8cd63919cd29f30b242fea8719f3e506296e5f3
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Aug 10 12:18:04 2016 +0100
Bug 17097: here the var is 'member', not 'borrowernumber'
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 08ec3cd0d0aedd3996938e1fb55d7ae855278d7a
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 9 22:29:25 2016 +0100
Bug 17097: Fix CSRF in deletemem.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can delete patrons details.
/members/deletemem.pl?member=42
Test plan:
0/ Do not apply any patches
1/ Adapt and hit the url above
=> The patron will be deleted without confirmation
2/ Apply first patch
3/ Hit the url
=> you will get a confirmation page
4/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> The patron will be deleted without confirmation
5/ Apply the second patch (this one)
6/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> you will get a crash "Wrong CSRF token" (no need to stylish)
7/ Delete a patron from the detail page and confirm the deletion
=> you will be redirected to the patron module home page and the patron
has been deleted
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit a0b7acfae15efb6bf120a8b62daf55eff72b56a0
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 9 22:18:14 2016 +0100
Bug 17097: Add a confirmation page when deleting a patron
It won't hurt to have a confirmation page when deleting a patron.
Moreover it's the more easy way to protect against CSRF attacks :)
Test plan:
Make sure you get a confirmation page when deleting a patron
Confirm that approving or denying the confirmation work as expected
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 7580cbda9e78ca6da0dc717f2a190a21ffc34468
Author: Mason James <mtj at kohaaloha.com>
Date: Wed May 3 13:15:43 2017 +1200
t/Token.t merge typo fix
modified: t/Token.t
commit e628d013cd43aebfa48f591f3c7b0c01c06ac79a
Author: Mason James <mtj at kohaaloha.com>
Date: Wed May 3 12:24:04 2017 +1200
Bug 18124: [16.05.x] remove HouseboundModule code
modified: members/memberentry.pl
commit c6d7fd2dd3a088eb4f5a0ad79b45cff2e257de32
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Jul 28 12:55:43 2016 +0100
Bug 16993: Fix CSRF in memberentry.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' passwords or other
patrons'details
members/memberentry.pl?op=save&destination=circ&borrowernumber=3435&password=ZZZ&password2=ZZZ&nodouble=1
Test plan:
Trigger
members/memberentry.pl?op=save&destination=circ&borrowernumber=42&password=ZZZ&password2=ZZZ&nodouble=1
=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Amended: removed the commented use Digest::MD5-line.
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit a6f3a107f1f9dd1a116422e63802f1a322beb364
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Aug 12 08:09:50 2016 +0200
Bug 17110: Add unit test for MaxAge parameter in Token.t
Test plan:
Run t/Token.t
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 7cac8af04a988a00adc92e8db0b306f0afa94e3f
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Thu Aug 11 15:25:44 2016 +0200
Bug 17110: Lower CSRF expiry in Koha::Token
Default expiry in WWW:CSRF is one week.
This patch sets it to 8 hours by default in Koha, and allows to
change the expiry period individually by passing MaxAge.
Test plan:
[1] Put items in your cart.
[2] Apply the example patch too.
[3] Send the cart from opac within the allotted 10 seconds.
[4] Send again, but wait some 10 seconds before submitting. Too late!
Tested 3 patches together, works as expected.
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Mason James <mtj at kohaaloha.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Utils/DataTables/Members.pm | 2 +-
Koha/Token.pm | 1 +
basket/sendbasket.pl | 25 +++++++--------
.../prog/en/includes/members-toolbar.inc | 10 +-----
.../prog/en/modules/basket/sendbasket.tt | 6 ++--
.../prog/en/modules/basket/sendbasketform.tt | 9 +++---
.../prog/en/modules/members/deletemem.tt | 15 +++++++++
.../prog/en/modules/members/memberentrygen.tt | 3 ++
.../prog/en/modules/members/moremember.tt | 3 +-
.../prog/en/modules/tools/import_borrowers.tt | 5 ++-
.../prog/en/modules/tools/picture-upload.tt | 1 +
.../opac-tmpl/bootstrap/en/modules/opac-detail.tt | 4 +--
.../bootstrap/en/modules/opac-sendbasket.tt | 6 ++--
.../bootstrap/en/modules/opac-sendbasketform.tt | 1 +
members/deletemem.pl | 33 ++++++++++++++------
members/memberentry.pl | 10 ++----
members/moremember.pl | 4 +++
opac/opac-memberentry.pl | 22 +------------
opac/opac-sendbasket.pl | 23 +++++++-------
t/db_dependent/Utils/Datatables_Members.t | 31 +++++++++++++++++-
tools/import_borrowers.pl | 3 ++
tools/picture-upload.pl | 2 ++
22 files changed, 133 insertions(+), 86 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list