[koha-commits] main Koha release repository branch 16.05.x updated. v16.05.16-60-g8f87903
Git repo owner
gitmaster at git.koha-community.org
Wed Sep 20 06:05:14 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 16.05.x has been updated
via 8f87903968fe19a801dbd14246321bf585c679e6 (commit)
via 251619575c423b4ac58505ee031533608322d160 (commit)
via 4b19e4bb6a0582ddeb94fc94bdcfb0c4448ef372 (commit)
via 3ecc48ed5b01c9d03108cd94b943ade3f535f644 (commit)
via 644d9e938edb60826be98823068db04e38bb6424 (commit)
via e362ade666b7181d9b4b1d89e89968eefb134eb9 (commit)
via 687946bd9b48ed9e1c9b6663961463ef1913ae88 (commit)
via 566980bc2744a8067be338f432c3a391db2aae42 (commit)
via ffedb03412b100d296f64a3f7e4eeecde3f5680d (commit)
via ceb5b6cc82fb32dbb9899ad500fe2cc7a6c6008b (commit)
via 4d7b768750685ea11554831f7ed7fcb6796b3f7b (commit)
via c127306b540cc0ee7cda9f7b14cd2c9bb47b99a1 (commit)
via 5caf641f7ddfe4d0b924e37dae2d799bdd6f3d8f (commit)
via 8dc404940d03bb81b1ecfc987484f8bf9781bcca (commit)
via 280750052a28ae10aa305b9a0fab681983453e86 (commit)
via 12d677ba88e9387b63a5bad2aa508a6985ed5b4c (commit)
via 3a1f035038636c57a78350effccbaa903e6b835f (commit)
via 5ffa9b924cf4bed72f105dc711ca7dd03ee373c5 (commit)
via 75ca6a17ad080246197ec6664ad19a96785cfbcd (commit)
via 5a58f35afc6935f714e4724f098af447107e2043 (commit)
via 8675e0c4679835fdfd31a96ec0a7f63ac4b944a0 (commit)
via 174f1eda3ba2186f75fccf246cb299256c2d28c9 (commit)
via 9ce88fb28a7260ea268d6f34d09d740ca63899e7 (commit)
via a7bf6705a3b013105f3ce9e48a28e8e9c8912498 (commit)
via 4c8e2f74d9cc8e4833dd62d9faa60437c97307ec (commit)
via 0eb03b0817561fc37c77bf551a09d816d41c4117 (commit)
via c532e5f0abbe5a84834cfab99d021af03d499afb (commit)
via 1deab6d87f13ced3da4dc29ef30978867a95145c (commit)
via 683f9ec507276af1737d6fba4ba653a38557bf78 (commit)
from 8383e7546495a042f622826c95eee6274765b5d6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8f87903968fe19a801dbd14246321bf585c679e6
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:59:43 2017 +1200
Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - Add classes MarcSubfieldStructure[s]"
This reverts commit 99e7f928b1bdd7ca997c6ae403a691f90866eeb4.
commit 251619575c423b4ac58505ee031533608322d160
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:59:35 2017 +1200
Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - add tests"
This reverts commit a53c3efd4c1773a609f2929a61b7324504cc18eb.
commit 4b19e4bb6a0582ddeb94fc94bdcfb0c4448ef372
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:59:27 2017 +1200
Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - Add search_by_marc_field"
This reverts commit c8fbb9c58bd72031b77d52327004ba441e71cdb9.
commit 3ecc48ed5b01c9d03108cd94b943ade3f535f644
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:59:19 2017 +1200
Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - inventory"
This reverts commit a1b569f89eead58d274a6c75d2790bda94fc0c55.
commit 644d9e938edb60826be98823068db04e38bb6424
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:59:11 2017 +1200
Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField - (follow-up) inventory"
This reverts commit 38cbc453e0cc4a509fe267e32f3903393f449d41.
commit e362ade666b7181d9b4b1d89e89968eefb134eb9
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:59:04 2017 +1200
Revert "Bug 17249: Remove GetKohaAuthorisedValuesFromField"
This reverts commit 65945e30f71fe353c995bab97a5b6a333326b570.
commit 687946bd9b48ed9e1c9b6663961463ef1913ae88
Author: Mason James <mtj at kohaaloha.com>
Date: Wed Sep 20 15:58:54 2017 +1200
Revert "Bug 17249: GetKohaAuthorisedValuesFromField - rm GetAuthValCodeFromField"
This reverts commit 286b6f4e3e8db593fbe218ab08c622e5491ac44d.
commit 566980bc2744a8067be338f432c3a391db2aae42
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 10:35:10 2017 -0300
Bug 19128: XSS - admin/authorised_values.tt
commit ffedb03412b100d296f64a3f7e4eeecde3f5680d
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 14:34:17 2017 +0200
Bug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt
Preparation:
- Add a branch with script in the branch name
- Add a patron category with script in the category name
- Add a new authorised value cateogory with script
- Add a new authroised value for this category with script
in all possible fields
- Test editing patron categories
- Test editing patron attribute types
- Test viewing and editing authorised values
Verify that with this script there is no more script executed
and everything works fine.
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit ceb5b6cc82fb32dbb9899ad500fe2cc7a6c6008b
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 11:21:27 2017 -0300
Bug 19127: (follow-up) Stored XSS in csv-profiles.pl
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 4d7b768750685ea11554831f7ed7fcb6796b3f7b
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Wed Aug 16 17:56:17 2017 +0530
Bug 19127 - Stored XSS in csv-profiles.pl
To Test
1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
2. Add a text in the field Profile name, Profile description
and Profile MARC fields that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit c127306b540cc0ee7cda9f7b14cd2c9bb47b99a1
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 12:05:50 2017 +0200
Bug 19125 - XSS - members.pl
In preparation to test this patch:
- Add a patron list named <script>alert("patron list")</script>
- Add a library named <script>alert("library")</script>
- Add a patron category named <script>alert("patron category")</script>
To test:
- Access patron search page and do a search
- Verify that the alerts added above are executed
- Apply patch
- Verify that no alerts are displayed
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 5caf641f7ddfe4d0b924e37dae2d799bdd6f3d8f
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 11:06:11 2017 -0300
Bug 19108: (follow-up) Stored XSS in biblio_framework.pl
Prevent software error
Template process failed: undef error - text: filter not found at
/home/vagrant/kohaclone/C4/Templates.pm line 121.
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 8dc404940d03bb81b1ecfc987484f8bf9781bcca
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 14:37:50 2017 +0530
Bug 19108 - Stored XSS in biblio_framework.pl and marctagstructure.pl
To Test
1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Click on Actions -> MARC structure
6. Apply patch and reload, the js is escaped
Fixed for both the pages biblio_framework.pl and marctagstructure.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 280750052a28ae10aa305b9a0fab681983453e86
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 14:10:43 2017 +0530
Bug 19108 - Stored XSS in fieldmapping.pl
To Test
1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl
2. Add a text in the field Field name that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 12d677ba88e9387b63a5bad2aa508a6985ed5b4c
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 14:06:47 2017 +0530
Bug 19108 - Stored XSS in authtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/authtypes.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 3a1f035038636c57a78350effccbaa903e6b835f
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 13:55:45 2017 +0530
Bug 19108 - Stored XSS in classsources.pl
Fixed for both Classification sources & Classification filing rules
To Test
1. first case classification source: Hit the page
/cgi-bin/koha/admin/classsources.pl?op=add_source
second case classification filing rules:
Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 5ffa9b924cf4bed72f105dc711ca7dd03ee373c5
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 13:49:10 2017 +0530
Bug 19108 - Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for new and edit page
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 75ca6a17ad080246197ec6664ad19a96785cfbcd
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 13:33:57 2017 +0530
Bug 19108 - Stored XSS in oai_sets.pl
To Test
1. Hit the page /cgi-bin/koha/admin/oai_sets.pl
2. Click on New set
3. Add a text in the field setSpec, setName that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 5a58f35afc6935f714e4724f098af447107e2043
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 10:58:24 2017 -0300
Bug 19103: (follow-up) Stored XSS in itemtypes.pl
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 8675e0c4679835fdfd31a96ec0a7f63ac4b944a0
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 10:15:54 2017 +0530
Bug 19103 - Stored XSS in matching-rules.pl
To Test
1. Hit the page /cgi-bin/koha/admin/matching-rules.pl
2. Click on new record matching rule
3. Add a text in the field Description that contain js.
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 174f1eda3ba2186f75fccf246cb299256c2d28c9
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 10:07:45 2017 +0530
Bug 19103 - Stored XSS in patron-attr-types.pl
To Test
1. Hit the page /cgi-bin/koha/admin/patron-attr-types.pl
2. Click on new patron attribute type
2. Add a text in the field Description that contain js.
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 9ce88fb28a7260ea268d6f34d09d740ca63899e7
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 08:52:40 2017 +0530
Bug 19103 - Stored XSS in itemtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/itemtypes.pl
2. Add a text in the field Description, Checkin message that contains js
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit a7bf6705a3b013105f3ce9e48a28e8e9c8912498
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 13:07:18 2017 +0200
Bug 19086 - Follow-up - subscription-detail.pl
Add script to the callnumber field on adding a subscription.
Verify script is executed without this patch, but not with it.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
commit 4c8e2f74d9cc8e4833dd62d9faa60437c97307ec
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 12:59:13 2017 +0200
Bug 19086 - Follow-up - XSS in supplier.tt
In preparation:
Make sure you enter <script>alert("sth")</script>
in all fields of a new vendor that are not validated
and save.
1) Access vendor summary page.
2) Verify scripts are executed
3) Apply patch
4) Verify scripts are on longer executed
This works in combination with the other patches for XSS
on this bug.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
commit 0eb03b0817561fc37c77bf551a09d816d41c4117
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 02:44:11 2017 +0530
Bug 19086 Stored XSS in subscription-add.pl
To Test
1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
2. Add a text in the field Public note and Nonpublic note
that contains js (Internalnotes, notes)
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
commit c532e5f0abbe5a84834cfab99d021af03d499afb
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 02:33:59 2017 +0530
Bug 19086 Stored XSS in supplier.pl
1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter
2. Add a text in the field company_postal, physical, company_fax,
accountnumber, contactposition, contact_fax, contact_notes, notes that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
commit 1deab6d87f13ced3da4dc29ef30978867a95145c
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Fri Aug 11 19:54:34 2017 +0000
Bug 19086 Stored XSS in circulation.pl
1/ To test add a message to a borrower that contains js
2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number]
where number is the borrowernumber of the borrower you set the message
for
3/ Notice js is execute
4/ Apply patch, reload, js is escaped
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
commit 683f9ec507276af1737d6fba4ba653a38557bf78
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Fri Aug 11 19:36:43 2017 +0000
Bug 19086 XSS in members/member.pl
To test
1/ hit /cgi-bin/koha/members/member.pl?&searchmember=<script>alert('XSS Payload')</script>
2/ Notice js is executed
3/ Apply patch, reload
4/ js is now escaped
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Mason James <mtj at kohaaloha.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Koha.pm | 57 +++++++++++++++++++-
C4/Record.pm | 11 ++--
Koha/AuthorisedValues.pm | 18 -------
Koha/MarcSubfieldStructure.pm | 44 ---------------
Koha/MarcSubfieldStructures.pm | 50 -----------------
.../en/includes/admin-items-search-field-form.inc | 4 +-
.../prog/en/includes/patron-search.inc | 2 +-
.../prog/en/includes/patron-toolbar.inc | 2 +-
.../prog/en/modules/acqui/supplier.tt | 32 +++++------
.../prog/en/modules/admin/authorised_values.tt | 28 +++++-----
.../prog/en/modules/admin/authtypes.tt | 4 +-
.../prog/en/modules/admin/biblio_framework.tt | 12 ++---
.../prog/en/modules/admin/categories.tt | 4 +-
.../prog/en/modules/admin/classsources.tt | 4 +-
.../prog/en/modules/admin/fieldmapping.tt | 2 +-
.../prog/en/modules/admin/items_search_field.tt | 4 +-
.../prog/en/modules/admin/items_search_fields.tt | 6 +--
.../prog/en/modules/admin/itemtypes.tt | 4 +-
.../prog/en/modules/admin/marctagstructure.tt | 18 +++----
.../prog/en/modules/admin/matching-rules.tt | 2 +-
.../prog/en/modules/admin/oai_set_mappings.tt | 2 +-
.../prog/en/modules/admin/oai_sets.tt | 10 ++--
.../prog/en/modules/admin/patron-attr-types.tt | 12 ++---
.../prog/en/modules/circ/circulation.tt | 2 +-
.../prog/en/modules/members/member.tt | 10 ++--
.../prog/en/modules/serials/subscription-detail.tt | 6 +--
.../prog/en/modules/tools/csv-profiles.tt | 12 ++---
t/db_dependent/AuthorisedValues.t | 35 +-----------
t/db_dependent/Items/GetItemsForInventory.t | 12 +----
t/db_dependent/Koha/MarcSubfieldStructures.t | 57 --------------------
t/db_dependent/Record/marcrecord2csv.t | 42 +--------------
tools/inventory.pl | 5 +-
32 files changed, 155 insertions(+), 358 deletions(-)
delete mode 100644 Koha/MarcSubfieldStructure.pm
delete mode 100644 Koha/MarcSubfieldStructures.pm
delete mode 100644 t/db_dependent/Koha/MarcSubfieldStructures.t
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list