[koha-commits] main Koha release repository branch master updated. v17.05.00-682-g89528af
Git repo owner
gitmaster at git.koha-community.org
Fri Sep 29 17:49:32 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 89528af3b089b2d17e3e7b212ea5608478f0ca84 (commit)
via 1404654d65baccacb2928f59171ec6f41d9b653b (commit)
via 632e2ad51d2510a412224ded5e51a9f991d566b4 (commit)
via d34fae94995977b730e4bbfc11bdecaa3ce310a8 (commit)
via c7b2d9bcf37dcded7cba49b1e520a0234850adf7 (commit)
via 60a17c1b2b8582620fc94ab9eadd7e8336a5d1fa (commit)
via ae02cf97e469a17d3bdc9d5c7db702960fd620c8 (commit)
via 99f6e1adf3d3236c2a08ad31d4282d429d50974b (commit)
via c84d03c582976cb590c62b25d59505b982a71d97 (commit)
via 12bd6358cfe6c9348cb111d22f04097f7911babf (commit)
via f270c4a3b56a8b92554670ae9aceb857b50b897e (commit)
via 80fd5cd0dbfe8c5612325ca65251d36a97fcfc1c (commit)
via a0c73b7bdafd21e19e0c1ba6a7ea222216d70500 (commit)
via 021d1d3714602be64609b9db82fd92e8bb1b42c0 (commit)
via 357d51c8c4bd0eeffd83bc04f96b9c3dc66afa02 (commit)
via b90662073ff99d25e0f32156924f79981f9d5707 (commit)
via 914577fdb788b70fdb0979a6ea88ca10e3345796 (commit)
via 624eb9e1f5f7ca87a6d8fbbaef0bbaa3dea3bc21 (commit)
via a482880352c4e9b363402a83358e1c239fbc1d74 (commit)
via ec85c6b0a23088e91922c0b095f39bfbca2f4456 (commit)
via 6a68fd033035491a1e8060d47ca30f8640cd835e (commit)
via b09750ca2b1446bdeaf78a5989b4325e41789362 (commit)
via bfbba2339f3c39fcf19ec1b12585f15f9ea68993 (commit)
via d1aa11c51c0b7312ea08327b57b4adb04f3c7c48 (commit)
via ab7b35fe2466bbca5082a315dfb5bd33add3d956 (commit)
via 233741e937cade658de0181d41fe2d315a7ab993 (commit)
via 617e2f822141c9a430f87304e6030f3d2fb4a6d7 (commit)
via 9374c646e164db5f48f88e3a8fcb904a79922013 (commit)
via b3734f02e1e76dfe9710b85887df826303feff14 (commit)
via b4608887f664ed73d6813375f503b2bebd542adb (commit)
via 2d308456010745b90bcd99f40d56db0fcd9cad65 (commit)
via 0bbe968fe57316b8bb28ad02df87c0b97c249904 (commit)
via 13e65432ce6f78c277835d5a5fe22fe99ed0b20c (commit)
via ec86950780e908f5b2a5d53e21cffede6d570b08 (commit)
via 6d22674da5062cc61b6bd8667f8fb5775f71b05a (commit)
via 50dcae4b504a4a54a830ae87848ba3fa5161ad57 (commit)
via c176b8ceefc8a4b964b8671c4d3198af053b59c8 (commit)
from ae86b7ca9ea60bba47d3a999ff13d6140cdc5e1c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 89528af3b089b2d17e3e7b212ea5608478f0ca84
Author: Aleisha Amohia <aleishaamohia at hotmail.com>
Date: Wed Aug 30 23:26:38 2017 +0000
Bug 16463: Replace discharge link with error message if user has checked out items
To test:
1) Ensure the useDischarge syspref is enabled
2) Check out an item to a borrower
3) Log in to the OPAC as this borrower
4) Click the 'ask for a discharge' link in the nav
5) Click the 'Ask for a discharge' link
6) Notice you cannot be discharged because you have checkouts
7) Apply the patch, click the 'ask for a discharge' link in the nav
8) Notice the link has been replaced with an appropriate error message
9) Attempt to force the discharge URL:
/cgi-bin/koha/opac-discharge?op=request
10) Notice the message and you cannot be discharged.
11) Confirm that when you check in your item, the discharge link shows
again and works as expected.
Sponsored-by: Catalyst IT
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose at inlibro.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 1404654d65baccacb2928f59171ec6f41d9b653b
Author: Nick Clemens <nick at bywatersolutions.com>
Date: Fri Apr 7 23:09:05 2017 -0400
Bug 18318: Unicode support for Elasticsearch
You must install the icu plugin for elasticsearch
https://www.elastic.co/guide/en/elasticsearch/plugins/current/analysis-icu.html
Once installed, apply this patch
Reindex your data, deleting the existing indexes
perl /home/vagrant/kohaclone/misc/search_tools/rebuild_elastic_search.pl
-d
Find (or add) some titles with accented characters
Verify that a search for the exact character or the unaccented version
works
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 632e2ad51d2510a412224ded5e51a9f991d566b4
Author: Mark Tompsett <mtompset at hotmail.com>
Date: Fri Sep 1 21:23:20 2017 -0400
Bug 19120: Leave cancelled ordered items alone when reopening basket
TEST PLAN
---------
1) Apply first patch
2) prove t/db_dependent/Acquisition/close_reopen_basket.t
-- FAILS
3) Apply this patch
4) prove t/db_dependent/Acquisition/close_reopen_basket.t
-- SUCCESS!
5) run koha qa test tools
Followed test plan, patch worked as described
Signed-off-by: Alex Buckley <alexbuckley at catalyst.net.nz>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit d34fae94995977b730e4bbfc11bdecaa3ce310a8
Author: Mark Tompsett <mtompset at hotmail.com>
Date: Fri Sep 1 21:21:40 2017 -0400
Bug 19120: Add tests to reproduce the problem
TEST PLAN
---------
1) apply this patch
2) prove t/db_dependent/Acquisition/close_reopen_basket.t
-- FAILS!
-- This proves the test works.
3) run koha qa test tools
Followed test plan, patch worked as described
Signed-off-by: Alex Buckley <alexbuckley at catalyst.net.nz>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit c7b2d9bcf37dcded7cba49b1e520a0234850adf7
Author: Josef Moravec <josef.moravec at gmail.com>
Date: Tue Sep 19 07:13:53 2017 +0000
Bug 19329: Update IntranetSlipPrinterJS system preference description.
Test plan:
0) Apply the patch
1) Go to administration -> system preferences -> staff client
2) Read the description by IntranetSlipPrinterJS and confirm it's right
Signed-off-by: Marc Véron <veron at veron.ch>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 60a17c1b2b8582620fc94ab9eadd7e8336a5d1fa
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Sep 27 12:54:18 2017 -0300
Bug 19372: (bug 15801 follow-up) pass selected frameworkcode to the template
Bug 15801 removes the 2 lines that were necessary to retrieve the
framework selected by the user and pass it to the template.
All bibliographic records created when adding an order to the basket
using an external source used the default framework.
Test plan:
Add an order to a basket from an external source
Select another framework than the default one
=> Without this patch, whatever the framework you picked, the default
one is used
=> With this patch applied the framework code you will pick will be used
Signed-off-by: Marijana Glavica <mglavica at ffzg.hr>
Signed-off-by: Marijana Glavica <mglavica at ffzg.hr>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ae02cf97e469a17d3bdc9d5c7db702960fd620c8
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Wed Sep 27 13:44:00 2017 -0300
Bug 19366: Do not block patron's detail update if EmailMustBeUnique
If the pref PatronSelfRegistrationEmailMustBeUnique is set ("consider"),
a patron is not allowed to register with an existing email address.
The existing code is wrong and reject a patron that is updating their
personal details with "This email address already exists in our
database.", even if the patron did not modify their email address.
This is caused by the query we made, we must search for patron with this
email address but who is not the current patron.
Test plan:
- Set PatronSelfRegistrationEmailMustBeUnique to "consider"
- Register a new patron with an existing email address
=> you should not be allowed
- Use a non-existent email address
=> You should be allowed
- Edit your patron details
- Modify some infos
=> Should pass
- Modify your email address with an existing one
=> You should not be allowed to do that
Followed test plan, patches worked as described
Signed-off-by: Alex Buckley <alexbuckley at catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 99f6e1adf3d3236c2a08ad31d4282d429d50974b
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Thu Sep 21 11:09:57 2017 -0300
Bug 19357: (bug 18260 follow-up) Remove non-relevant attributes
When created, batch_record_modification.tt has been based on
batch_delete_records.tt
These attributes are not used in the template and not set in the pl
script.
Since bug 18260, biblio is a Koha::Biblio and calling a non-existent
method will raise an error.
This patch get rid of the following error:
batch_record_modification.pl: Template process failed: undef error - The
method itemnumbers is not covered by tests!
Test plan:
Modify bibliographic records with the "Batch record modification" tool.
Signed-off-by: Owen Leonard <oleonard at myacpl.org>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit c84d03c582976cb590c62b25d59505b982a71d97
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Aug 16 15:12:07 2016 +0100
Bug 15173: Restore SubfieldsToAllowForRestrictedEditing
Bug 7673 introduced SubfieldsToAllowForRestrictedEditing but bug 12176
broke it assuming that only selects were impacted by this feature.
Test plan:
Go back on bug 7673 and confirm that
SubfieldsToAllowForRestrictedEditing is working as expected with this
patch applied.
Signed-off-by: Lee Jamison <ldjamison at marywood.edu>
For clarification, the item fields that are entered in
SubfieldsToAllowForRestrictedEditing should EXCLUDE the desired
fields you want to disable.
Test plan (updated to test the scenario in the bug Description):
1. Create a patron with only the following permissions:
- catalogue (Required for staff login)
- editcatalogue -> edit_catalogue
- editcatalogue -> edit_items
- editcatalogue -> edit_items_restricted
2. Navigate to Administration -> Global system preferences -> Cataloging
-> Record Structure -> SubfieldsToAllowForRestrictedEditing
3. In the input field for SubfieldsToAllowForRestrictedEditing enter in
all the 952 fields EXCEPT the ones desired to be disabled. In this
case, we want to disallow editing of 952$2, 952$a, 952$b, 952$e, 952$h,
and 952$o so we enter the following into the
SubfieldsToAllowForRestrictedEditing (without quotes) "952$0 952$1
952$3 952$4 952$5 952$7 952$8 952$c 952$d 952$f 952$g 952$i 952$j
952$p 952$t 952$u 952$v 952$w 952$x 952$y 952$z"
4. Click Save all Cataloging preferences
5. Login to the staff client as the created restricted editing patron
6. Edit an item
7. Note that all fields except for the ones excluded from the syspref
are editable
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 12bd6358cfe6c9348cb111d22f04097f7911babf
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date: Fri Sep 15 11:12:01 2017 +0200
Bug 19323: subscription edit permission issue
If a librarian has edit_subscription but not create_subscription :
When trying to edit a subscription, after saving permission is denied.
This is because permissions in serials/subscription-add.pl depends on arg 'op' and on edit this arg starts with 'modify' but changes to 'modsubscription' when saving.
Test plan :
- Create a user with staff access
- Define its permissions on serials : only edit_subscription
- Edit a subscription
- Click 'Next'
- Click 'Test prediction pattern'
- Click 'Save subscription'
=> Without patch you get to page serials/subscription-add.pl with permission denied
=> With patch subscription is saved and you get to subscription details page
Signed-off-by: Caroline Cyr La Rose <caroline.cyr-la-rose at inlibro.com>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit f270c4a3b56a8b92554670ae9aceb857b50b897e
Author: Dobrica Pavlinusic <dpavlin at rot13.org>
Date: Mon Sep 18 19:17:35 2017 +0200
Bug 19334: Circulation history doesn't set biblionumber so left navigation is broken
Navigation on the left (Normal, MARC, etc...) needs biblionumber in
template variables to work.
Test:
1. go to checkout history for any biblio
2. verify that normal, MARC, etc links on the left no longer work
due to missing biblionumber in URL
3. apply patch and test it again
Signed-off-by: Josef Moravec <josef.moravec at gmail.com>
Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 80fd5cd0dbfe8c5612325ca65251d36a97fcfc1c
Author: Josef Moravec <josef.moravec at gmail.com>
Date: Tue Aug 22 08:58:11 2017 +0000
Bug 19116: Hold not set to waiting after transfer
Test plan:
0) Do not apply the patch
1) Place hold on item from another branch
2) Switch to that branch
3) Check them in at the other branch to set them into transport status (T)
4) Switch back to your homebranch
5) Check items in again, use the different confirm buttons and
compare: Only "confirm and print" will be set to waiting, "confirm"
remains in transport.
6) Apply the patch
7) Repeat 1-5 - now should work as expected - the hold is marked waiting
on "confirm" button too
8) Check the hold from the same branch, to make sure this doesn't add
regression
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit a0c73b7bdafd21e19e0c1ba6a7ea222216d70500
Author: Josef Moravec <josef.moravec at gmail.com>
Date: Fri Sep 22 08:40:56 2017 +0000
Bug 19116: (followup) Add tests to highlight the problem in CheckReserves
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 021d1d3714602be64609b9db82fd92e8bb1b42c0
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Mon Sep 4 14:14:31 2017 -0300
Bug 19116: Unit tests
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 357d51c8c4bd0eeffd83bc04f96b9c3dc66afa02
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 11:21:27 2017 -0300
Bug 19127: (follow-up) Fix Stored XSS in csv-profiles.pl
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit b90662073ff99d25e0f32156924f79981f9d5707
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Wed Aug 16 17:56:17 2017 +0530
Bug 19127: Fix Stored XSS in csv-profiles.pl
To Test
1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
2. Add a text in the field Profile name, Profile description
and Profile MARC fields that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 914577fdb788b70fdb0979a6ea88ca10e3345796
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 11:06:11 2017 -0300
Bug 19108: (follow-up) Fix Stored XSS in biblio_framework.pl
Prevent software error
Template process failed: undef error - text: filter not found at
/home/vagrant/kohaclone/C4/Templates.pm line 121.
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 624eb9e1f5f7ca87a6d8fbbaef0bbaa3dea3bc21
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 13:52:07 2017 +0200
Bug 19108: (follow-up) Fix Stored XSS in fieldmapping.pl and items_search_fields.pl
To test:
- Add a framework with script in the description
- Access the Keywords to MARC mapping page
- Add an item search field where both name and label are script
- Try to edit/delete the added mapping
With the patch no script should be executed and everything
should still work ok.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit a482880352c4e9b363402a83358e1c239fbc1d74
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 14:37:50 2017 +0530
Bug 19108: Fix Stored XSS in biblio_framework.pl and marctagstructure.pl
To Test
1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Click on Actions -> MARC structure
6. Apply patch and reload, the js is escaped
Fixed for both the pages biblio_framework.pl and marctagstructure.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ec85c6b0a23088e91922c0b095f39bfbca2f4456
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 14:10:43 2017 +0530
Bug 19108: Fix Stored XSS in fieldmapping.pl
To Test
1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl
2. Add a text in the field Field name that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 6a68fd033035491a1e8060d47ca30f8640cd835e
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 14:06:47 2017 +0530
Bug 19108: Fix Stored XSS in authtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/authtypes.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit b09750ca2b1446bdeaf78a5989b4325e41789362
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 13:55:45 2017 +0530
Bug 19108: Fix Stored XSS in classsources.pl
Fixed for both Classification sources & Classification filing rules
To Test
1. first case classification source: Hit the page
/cgi-bin/koha/admin/classsources.pl?op=add_source
second case classification filing rules:
Hit the page /cgi-bin/koha/admin/classsources.pl?op=add_sort_rule
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit bfbba2339f3c39fcf19ec1b12585f15f9ea68993
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 13:49:10 2017 +0530
Bug 19108: Fix Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for new and edit page
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit d1aa11c51c0b7312ea08327b57b4adb04f3c7c48
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 13:33:57 2017 +0530
Bug 19108: Fix Stored XSS in oai_sets.pl
To Test
1. Hit the page /cgi-bin/koha/admin/oai_sets.pl
2. Click on New set
3. Add a text in the field setSpec, setName that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ab7b35fe2466bbca5082a315dfb5bd33add3d956
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 10:58:24 2017 -0300
Bug 19103: (follow-up) Fix Stored XSS in itemtypes.pl
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 233741e937cade658de0181d41fe2d315a7ab993
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 10:15:54 2017 +0530
Bug 19103: Fix Stored XSS in matching-rules.pl
To Test
1. Hit the page /cgi-bin/koha/admin/matching-rules.pl
2. Click on new record matching rule
3. Add a text in the field Description that contain js.
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 617e2f822141c9a430f87304e6030f3d2fb4a6d7
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 10:07:45 2017 +0530
Bug 19103: Fix Stored XSS in patron-attr-types.pl
To Test
1. Hit the page /cgi-bin/koha/admin/patron-attr-types.pl
2. Click on new patron attribute type
2. Add a text in the field Description that contain js.
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 9374c646e164db5f48f88e3a8fcb904a79922013
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 08:52:40 2017 +0530
Bug 19103: Fix Stored XSS in itemtypes.pl
To Test
1. Hit the page /cgi-bin/koha/admin/itemtypes.pl
2. Add a text in the field Description, Checkin message that contains js
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit b3734f02e1e76dfe9710b85887df826303feff14
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Sep 12 10:35:10 2017 -0300
Bug 19128: Fix Stored XSS in admin/authorised_values.pl
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit b4608887f664ed73d6813375f503b2bebd542adb
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 14:34:17 2017 +0200
Bug 19128: Fix Stored XSS in patron-attr-types.pl, authorised_values.pl and categories.pl
Preparation:
- Add a branch with script in the branch name
- Add a patron category with script in the category name
- Add a new authorised value cateogory with script
- Add a new authroised value for this category with script
in all possible fields
- Test editing patron categories
- Test editing patron attribute types
- Test viewing and editing authorised values
Verify that with this script there is no more script executed
and everything works fine.
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 2d308456010745b90bcd99f40d56db0fcd9cad65
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 12:05:50 2017 +0200
Bug 19125: Fix Stored XSS in members.pl
In preparation to test this patch:
- Add a patron list named <script>alert("patron list")</script>
- Add a library named <script>alert("library")</script>
- Add a patron category named <script>alert("patron category")</script>
To test:
- Access patron search page and do a search
- Verify that the alerts added above are executed
- Apply patch
- Verify that no alerts are displayed
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 0bbe968fe57316b8bb28ad02df87c0b97c249904
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 13:07:18 2017 +0200
Bug 19086: Fix Stored XSS in subscription-detail.pl
Add script to the callnumber field on adding a subscription.
Verify script is executed without this patch, but not with it.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 13e65432ce6f78c277835d5a5fe22fe99ed0b20c
Author: Katrin Fischer <katrin.fischer.83 at web.de>
Date: Wed Aug 16 12:59:13 2017 +0200
Bug 19086: (follow-up) Fix Stored XSS in supplier.pl
In preparation:
Make sure you enter <script>alert("sth")</script>
in all fields of a new vendor that are not validated
and save.
1) Access vendor summary page.
2) Verify scripts are executed
3) Apply patch
4) Verify scripts are on longer executed
This works in combination with the other patches for XSS
on this bug.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit ec86950780e908f5b2a5d53e21cffede6d570b08
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 02:44:11 2017 +0530
Bug 19086: Fix Stored XSS in subscription-add.pl
To Test
1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
2. Add a text in the field Public note and Nonpublic note
that contains js (Internalnotes, notes)
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 6d22674da5062cc61b6bd8667f8fb5775f71b05a
Author: Amit Gupta <amit.gupta at informaticsglobal.com>
Date: Tue Aug 15 02:33:59 2017 +0530
Bug 19086: Fix Stored XSS in supplier.pl
1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter
2. Add a text in the field company_postal, physical, company_fax,
accountnumber, contactposition, contact_fax, contact_notes, notes that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit 50dcae4b504a4a54a830ae87848ba3fa5161ad57
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Fri Aug 11 19:54:34 2017 +0000
Bug 19086: Fix Stored XSS in circulation.pl
1/ To test add a message to a borrower that contains js
2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number]
where number is the borrowernumber of the borrower you set the message
for
3/ Notice js is execute
4/ Apply patch, reload, js is escaped
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
commit c176b8ceefc8a4b964b8671c4d3198af053b59c8
Author: Chris Cormack <chris at bigballofwax.co.nz>
Date: Fri Aug 11 19:36:43 2017 +0000
Bug 19086: Fix Stored XSS in members/member.pl
To test
1/ hit /cgi-bin/koha/members/member.pl?&searchmember=<script>alert('XSS Payload')</script>
2/ Notice js is executed
3/ Apply patch, reload
4/ js is now escaped
Signed-off-by: Amit Gupta <amit.gupta at informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
-----------------------------------------------------------------------
Summary of changes:
C4/Acquisition.pm | 2 +-
C4/Reserves.pm | 6 ++-
Koha/SearchEngine/Elasticsearch.pm | 9 ++--
acqui/z3950_search.pl | 2 +
catalogue/issuehistory.pl | 1 +
cataloguing/additem.pl | 33 ++++++------
.../en/includes/admin-items-search-field-form.inc | 4 +-
.../prog/en/includes/html_helpers.inc | 2 +-
.../prog/en/includes/patron-search.inc | 6 +--
.../prog/en/includes/patron-toolbar.inc | 4 +-
.../prog/en/modules/acqui/supplier.tt | 32 ++++++------
.../prog/en/modules/admin/authorised_values.tt | 26 +++++-----
.../prog/en/modules/admin/authtypes.tt | 4 +-
.../prog/en/modules/admin/biblio_framework.tt | 12 ++---
.../prog/en/modules/admin/categories.tt | 4 +-
.../prog/en/modules/admin/classsources.tt | 4 +-
.../prog/en/modules/admin/fieldmapping.tt | 8 +--
.../prog/en/modules/admin/items_search_field.tt | 4 +-
.../prog/en/modules/admin/items_search_fields.tt | 10 ++--
.../prog/en/modules/admin/itemtypes.tt | 4 +-
.../prog/en/modules/admin/marctagstructure.tt | 18 +++----
.../prog/en/modules/admin/matching-rules.tt | 2 +-
.../prog/en/modules/admin/oai_set_mappings.tt | 2 +-
.../prog/en/modules/admin/oai_sets.tt | 10 ++--
.../prog/en/modules/admin/patron-attr-types.tt | 12 ++---
.../en/modules/admin/preferences/staff_client.pref | 2 +-
.../prog/en/modules/cataloguing/additem.tt | 40 ++++++++++-----
.../prog/en/modules/circ/circulation.tt | 2 +-
.../prog/en/modules/members/member.tt | 10 ++--
.../prog/en/modules/serials/subscription-detail.tt | 6 +--
.../en/modules/tools/batch_record_modification.tt | 2 +-
.../prog/en/modules/tools/csv-profiles.tt | 12 ++---
.../bootstrap/en/modules/opac-discharge.tt | 7 ++-
opac/opac-discharge.pl | 5 ++
opac/opac-memberentry.pl | 13 ++++-
serials/subscription-add.pl | 3 +-
t/db_dependent/Acquisition/close_reopen_basket.t | 12 ++++-
t/db_dependent/Circulation.t | 54 +++++++++++++++++++-
38 files changed, 249 insertions(+), 140 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list