[koha-commits] main Koha release repository branch 16.05.x updated. v16.05.16-60-g8f87903

Git repo owner gitmaster at git.koha-community.org
Wed Sep 20 06:05:14 CEST 2017


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 16.05.x has been updated
       via  8f87903968fe19a801dbd14246321bf585c679e6 (commit)
       via  251619575c423b4ac58505ee031533608322d160 (commit)
       via  4b19e4bb6a0582ddeb94fc94bdcfb0c4448ef372 (commit)
       via  3ecc48ed5b01c9d03108cd94b943ade3f535f644 (commit)
       via  644d9e938edb60826be98823068db04e38bb6424 (commit)
       via  e362ade666b7181d9b4b1d89e89968eefb134eb9 (commit)
       via  687946bd9b48ed9e1c9b6663961463ef1913ae88 (commit)
       via  566980bc2744a8067be338f432c3a391db2aae42 (commit)
       via  ffedb03412b100d296f64a3f7e4eeecde3f5680d (commit)
       via  ceb5b6cc82fb32dbb9899ad500fe2cc7a6c6008b (commit)
       via  4d7b768750685ea11554831f7ed7fcb6796b3f7b (commit)
       via  c127306b540cc0ee7cda9f7b14cd2c9bb47b99a1 (commit)
       via  5caf641f7ddfe4d0b924e37dae2d799bdd6f3d8f (commit)
       via  8dc404940d03bb81b1ecfc987484f8bf9781bcca (commit)
       via  280750052a28ae10aa305b9a0fab681983453e86 (commit)
       via  12d677ba88e9387b63a5bad2aa508a6985ed5b4c (commit)
       via  3a1f035038636c57a78350effccbaa903e6b835f (commit)
       via  5ffa9b924cf4bed72f105dc711ca7dd03ee373c5 (commit)
       via  75ca6a17ad080246197ec6664ad19a96785cfbcd (commit)
       via  5a58f35afc6935f714e4724f098af447107e2043 (commit)
       via  8675e0c4679835fdfd31a96ec0a7f63ac4b944a0 (commit)
       via  174f1eda3ba2186f75fccf246cb299256c2d28c9 (commit)
       via  9ce88fb28a7260ea268d6f34d09d740ca63899e7 (commit)
       via  a7bf6705a3b013105f3ce9e48a28e8e9c8912498 (commit)
       via  4c8e2f74d9cc8e4833dd62d9faa60437c97307ec (commit)
       via  0eb03b0817561fc37c77bf551a09d816d41c4117 (commit)
       via  c532e5f0abbe5a84834cfab99d021af03d499afb (commit)
       via  1deab6d87f13ced3da4dc29ef30978867a95145c (commit)
       via  683f9ec507276af1737d6fba4ba653a38557bf78 (commit)
      from  8383e7546495a042f622826c95eee6274765b5d6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8f87903968fe19a801dbd14246321bf585c679e6
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:59:43 2017 +1200

    Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - Add classes MarcSubfieldStructure[s]"
    
    This reverts commit 99e7f928b1bdd7ca997c6ae403a691f90866eeb4.

commit 251619575c423b4ac58505ee031533608322d160
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:59:35 2017 +1200

    Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - add tests"
    
    This reverts commit a53c3efd4c1773a609f2929a61b7324504cc18eb.

commit 4b19e4bb6a0582ddeb94fc94bdcfb0c4448ef372
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:59:27 2017 +1200

    Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - Add search_by_marc_field"
    
    This reverts commit c8fbb9c58bd72031b77d52327004ba441e71cdb9.

commit 3ecc48ed5b01c9d03108cd94b943ade3f535f644
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:59:19 2017 +1200

    Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - inventory"
    
    This reverts commit a1b569f89eead58d274a6c75d2790bda94fc0c55.

commit 644d9e938edb60826be98823068db04e38bb6424
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:59:11 2017 +1200

    Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - (follow-up) inventory"
    
    This reverts commit 38cbc453e0cc4a509fe267e32f3903393f449d41.

commit e362ade666b7181d9b4b1d89e89968eefb134eb9
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:59:04 2017 +1200

    Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField"
    
    This reverts commit 65945e30f71fe353c995bab97a5b6a333326b570.

commit 687946bd9b48ed9e1c9b6663961463ef1913ae88
Author: Mason James <mtj at kohaaloha.com>
Date:   Wed Sep 20 15:58:54 2017 +1200

    Revert "Bug 17249: GetKohaAuthorisedValuesFromField - rm GetAuthValCodeFromField"
    
    This reverts commit 286b6f4e3e8db593fbe218ab08c622e5491ac44d.

commit 566980bc2744a8067be338f432c3a391db2aae42
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Tue Sep 12 10:35:10 2017 -0300

    Bug 19128: XSS - admin/authorised_values.tt

commit ffedb03412b100d296f64a3f7e4eeecde3f5680d
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date:   Wed Aug 16 14:34:17 2017 +0200

    Bug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt
    
    Preparation:
    - Add a branch with script in the branch name
    - Add a patron category with script in the category name
    - Add a new authorised value cateogory with script
    - Add a new authroised value for this category with script
      in all possible fields
    
    - Test editing patron categories
    - Test editing patron attribute types
    - Test viewing and editing authorised values
    
    Verify that with this script there is no more script executed
    and everything works fine.
    
    Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit ceb5b6cc82fb32dbb9899ad500fe2cc7a6c6008b
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Tue Sep 12 11:21:27 2017 -0300

    Bug 19127: (follow-up) Stored XSS in csv-profiles.pl
    
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 4d7b768750685ea11554831f7ed7fcb6796b3f7b
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Wed Aug 16 17:56:17 2017 +0530

    Bug 19127 - Stored XSS in csv-profiles.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
    2. Add a text in the field Profile name, Profile description
       and Profile MARC fields that contains js
    3. Save the page.
    4. Notice js is execute
    5. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit c127306b540cc0ee7cda9f7b14cd2c9bb47b99a1
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date:   Wed Aug 16 12:05:50 2017 +0200

    Bug 19125 - XSS - members.pl
    
    In preparation to test this patch:
    - Add a patron list named <script>alert("patron list")</script>
    - Add a library named <script>alert("library")</script>
    - Add a patron category named <script>alert("patron category")</script>
    
    To test:
    - Access patron search page and do a search
    - Verify that the alerts added above are executed
    - Apply patch
    - Verify that no alerts are displayed
    
    Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 5caf641f7ddfe4d0b924e37dae2d799bdd6f3d8f
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Tue Sep 12 11:06:11 2017 -0300

    Bug 19108: (follow-up) Stored XSS in biblio_framework.pl
    
    Prevent software error
    Template process failed: undef error - text: filter not found at
    /home/vagrant/kohaclone/C4/Templates.pm line 121.
    
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 8dc404940d03bb81b1ecfc987484f8bf9781bcca
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 14:37:50 2017 +0530

    Bug 19108 - Stored XSS in biblio_framework.pl and marctagstructure.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
    2. Add a text in the field Description that contains js
    3. Save the page.
    4. Notice js is execute
    5. Click on Actions -> MARC structure
    6. Apply patch and reload, the js is escaped
    
    Fixed for both the pages biblio_framework.pl and marctagstructure.pl
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 280750052a28ae10aa305b9a0fab681983453e86
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 14:10:43 2017 +0530

    Bug 19108 - Stored XSS in fieldmapping.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl
    2. Add a text in the field Field name that contains js
    3. Save the page.
    4. Notice js is execute
    5. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 12d677ba88e9387b63a5bad2aa508a6985ed5b4c
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 14:06:47 2017 +0530

    Bug 19108 - Stored XSS in authtypes.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/authtypes.pl?op=add_form
    2. Add a text in the field Description that contains js
    3. Save the page.
    4. Notice js is execute
    5. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 3a1f035038636c57a78350effccbaa903e6b835f
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 13:55:45 2017 +0530

    Bug 19108 - Stored XSS in classsources.pl
    
    Fixed for both Classification sources & Classification filing rules
    
    To Test
    1. first case classification source: Hit the page
       /cgi-bin/koha/admin/classsources.pl?op=add_source
       second case classification filing rules:
       Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule
    2. Add a text in the field Description that contains js
    3. Save the page.
    4. Notice js is execute
    5. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 5ffa9b924cf4bed72f105dc711ca7dd03ee373c5
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 13:49:10 2017 +0530

    Bug 19108 - Stored XSS in items_search_fields.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
    2. Add a text in the field Name and Label that contains js
    3. Save the page.
    4. Notice js is execute
    5. Apply patch and reload, the js is escaped
    
    Fixed for new and edit page
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 75ca6a17ad080246197ec6664ad19a96785cfbcd
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 13:33:57 2017 +0530

    Bug 19108 - Stored XSS in oai_sets.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/oai_sets.pl
    2. Click on New set
    3. Add a text in the field setSpec, setName that contains js
    4. Save the page.
    5. Notice js is execute
    6. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 5a58f35afc6935f714e4724f098af447107e2043
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Tue Sep 12 10:58:24 2017 -0300

    Bug 19103: (follow-up) Stored XSS in itemtypes.pl
    
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 8675e0c4679835fdfd31a96ec0a7f63ac4b944a0
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 10:15:54 2017 +0530

    Bug 19103 - Stored XSS in matching-rules.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/matching-rules.pl
    2. Click on new record matching rule
    3. Add a text in the field Description that contain js.
    4. Save the page.
    5. Notice js is execute
    6. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 174f1eda3ba2186f75fccf246cb299256c2d28c9
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 10:07:45 2017 +0530

    Bug 19103 - Stored XSS in patron-attr-types.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/patron-attr-types.pl
    2. Click on new patron attribute type
    2. Add a text in the field Description that contain js.
    2. Save the page.
    3. Notice js is execute
    4. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 9ce88fb28a7260ea268d6f34d09d740ca63899e7
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 08:52:40 2017 +0530

    Bug 19103 - Stored XSS in itemtypes.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/admin/itemtypes.pl
    2. Add a text in the field Description, Checkin message that contains js
    2. Save the page.
    3. Notice js is execute
    4. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit a7bf6705a3b013105f3ce9e48a28e8e9c8912498
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date:   Wed Aug 16 13:07:18 2017 +0200

    Bug 19086 - Follow-up - subscription-detail.pl
    
    Add script to the callnumber field on adding a subscription.
    
    Verify script is executed without this patch, but not with it.
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>

commit 4c8e2f74d9cc8e4833dd62d9faa60437c97307ec
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date:   Wed Aug 16 12:59:13 2017 +0200

    Bug 19086 - Follow-up - XSS in supplier.tt
    
    In preparation:
    Make sure you enter <script>alert("sth")</script>
    in all fields of a new vendor that are not validated
    and save.
    
    1) Access vendor summary page.
    2) Verify scripts are executed
    3) Apply patch
    4) Verify scripts are on longer executed
    
    This works in combination with the other patches for XSS
    on this bug.
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>

commit 0eb03b0817561fc37c77bf551a09d816d41c4117
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 02:44:11 2017 +0530

    Bug 19086 Stored XSS in subscription-add.pl
    
    To Test
    1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
    2. Add a text in the field Public note and Nonpublic note
       that contains js (Internalnotes, notes)
    2. Save the page.
    3. Notice js is execute
    4. Apply patch and reload, the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>

commit c532e5f0abbe5a84834cfab99d021af03d499afb
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date:   Tue Aug 15 02:33:59 2017 +0530

    Bug 19086 Stored XSS in supplier.pl
    
    1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter
    2. Add a text in the field company_postal, physical, company_fax,
       accountnumber, contactposition, contact_fax, contact_notes, notes that contains java script
    3. Save the page.
    4. Notice js is execute
    5. Apply patch and reload the js is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>

commit 1deab6d87f13ced3da4dc29ef30978867a95145c
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date:   Fri Aug 11 19:54:34 2017 +0000

    Bug 19086 Stored XSS in circulation.pl
    
    1/ To test add a message to a borrower that contains js
    2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number]
      where number is the borrowernumber of the borrower you set the message
      for
    3/ Notice js is execute
    4/ Apply patch, reload, js is escaped
    
    Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

commit 683f9ec507276af1737d6fba4ba653a38557bf78
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date:   Fri Aug 11 19:36:43 2017 +0000

    Bug 19086 XSS in members/member.pl
    
    To test
    1/ hit /cgi-bin/koha/members/member.pl?&searchmember=<script>alert('XSS Payload')</script>
    2/ Notice js is executed
    3/ Apply patch, reload
    4/ js is now escaped
    
    Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Mason James <mtj at kohaaloha.com>

-----------------------------------------------------------------------

Summary of changes:
 C4/Koha.pm                                         |   57 +++++++++++++++++++-
 C4/Record.pm                                       |   11 ++--
 Koha/AuthorisedValues.pm                           |   18 -------
 Koha/MarcSubfieldStructure.pm                      |   44 ---------------
 Koha/MarcSubfieldStructures.pm                     |   50 -----------------
 .../en/includes/admin-items-search-field-form.inc  |    4 +-
 .../prog/en/includes/patron-search.inc             |    2 +-
 .../prog/en/includes/patron-toolbar.inc            |    2 +-
 .../prog/en/modules/acqui/supplier.tt              |   32 +++++------
 .../prog/en/modules/admin/authorised_values.tt     |   28 +++++-----
 .../prog/en/modules/admin/authtypes.tt             |    4 +-
 .../prog/en/modules/admin/biblio_framework.tt      |   12 ++---
 .../prog/en/modules/admin/categories.tt            |    4 +-
 .../prog/en/modules/admin/classsources.tt          |    4 +-
 .../prog/en/modules/admin/fieldmapping.tt          |    2 +-
 .../prog/en/modules/admin/items_search_field.tt    |    4 +-
 .../prog/en/modules/admin/items_search_fields.tt   |    6 +--
 .../prog/en/modules/admin/itemtypes.tt             |    4 +-
 .../prog/en/modules/admin/marctagstructure.tt      |   18 +++----
 .../prog/en/modules/admin/matching-rules.tt        |    2 +-
 .../prog/en/modules/admin/oai_set_mappings.tt      |    2 +-
 .../prog/en/modules/admin/oai_sets.tt              |   10 ++--
 .../prog/en/modules/admin/patron-attr-types.tt     |   12 ++---
 .../prog/en/modules/circ/circulation.tt            |    2 +-
 .../prog/en/modules/members/member.tt              |   10 ++--
 .../prog/en/modules/serials/subscription-detail.tt |    6 +--
 .../prog/en/modules/tools/csv-profiles.tt          |   12 ++---
 t/db_dependent/AuthorisedValues.t                  |   35 +-----------
 t/db_dependent/Items/GetItemsForInventory.t        |   12 +----
 t/db_dependent/Koha/MarcSubfieldStructures.t       |   57 --------------------
 t/db_dependent/Record/marcrecord2csv.t             |   42 +--------------
 tools/inventory.pl                                 |    5 +-
 32 files changed, 155 insertions(+), 358 deletions(-)
 delete mode 100644 Koha/MarcSubfieldStructure.pm
 delete mode 100644 Koha/MarcSubfieldStructures.pm
 delete mode 100644 t/db_dependent/Koha/MarcSubfieldStructures.t


hooks/post-receive
-- 
main Koha release repository


More information about the koha-commits mailing list