[koha-commits] main Koha release repository branch master updated. v16.11.00-982-ge96f39a
Git repo owner
gitmaster at git.koha-community.org
Mon May 8 15:01:36 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via e96f39ab522512fe828940e93ba3737d5f25a16f (commit)
via 57f28f9ee44a6c8f19dc1411971a7ca397557acd (commit)
from 3ef6d2d5153772cd1701005eef7e9a94bf901c32 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e96f39ab522512fe828940e93ba3737d5f25a16f
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Mon May 1 14:15:58 2017 +0200
Bug 7550: [QA Follow-up] Resolve param warning from sco-patron-image
Resolve this warning:
CGI::param called in list context from package C4::Service line 212, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
It comes from the require_params call in sco-patron-image.pl.
Git grepping on require_params tells me this:
members/default_messageprefs.pl:my ($categorycode) = C4::Service->require_params('categorycode');
opac/sco/sco-patron-image.pl:my ($borrowernumber) = C4::Service->require_params('borrowernumber');
opac/sco/sco-patron-image.pl:my ($csrf_token) = C4::Service->require_params('csrf_token');
svc/cataloguing/metasearch:my ( $query_string, $servers ) = C4::Service->require_params( 'q', 'servers' );
The only candidate for multi_param seems to be 'servers', but as we can see
this variable is a scalar. Additional servers returned by require_params are
lost. This should be solved on its own report.
So, we can safely add scalar to the params call, resolve the warning and
keep the same behavior.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
commit 57f28f9ee44a6c8f19dc1411971a7ca397557acd
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Apr 19 14:09:12 2017 -0300
Bug 7550: SCO - Restrict access of patron's image
With this patch if SelfCheckoutByLogin is set to 'username and
password', only the logged in user will be able to see the image linked
to his/her logged in account.
If set to "barcode" we generate a token but it can be easily generated.
You should add a warning in the about page if
SelfCheckoutByLogin="barcode" and ShowPatronImageInWebBasedSelfCheck="Show".
How I tested:
- Go to SCO
- Log - Enable self checkout, go to [Your
Server]//cgi-bin/koha/sco/sco-main.pl
- Log in with a user 'A' who has a patron image
- Copy the address of the patron image into an other browser window
- Change the borrowernumber to on of an other user 'B' having a patron
image
- Verify that the patron image is NOT displayed
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Service.pm | 2 +-
.../opac-tmpl/bootstrap/en/modules/sco/sco-main.tt | 2 +-
opac/sco/sco-main.pl | 3 ++-
opac/sco/sco-patron-image.pl | 22 +++++++++++++++++++-
4 files changed, 25 insertions(+), 4 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list