[koha-commits] main Koha release repository branch 19.11.x updated. v19.11.04-154-g3401e94d94

Git repo owner gitmaster at git.koha-community.org
Fri Apr 17 21:37:22 CEST 2020 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 19.11.x has been updated
       via  3401e94d942a8d8a4e216ea44bd295f96b8f3e24 (commit)
       via  d3ba9dc0fe423347f0e0e90b66be3ebeb7a6dec1 (commit)
      from  5613ca4165c64b40e80a772997b3180755b7e437 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 3401e94d942a8d8a4e216ea44bd295f96b8f3e24
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date:   Thu Jul 14 13:51:21 2016 +0200

    Bug 16922: Add RewriteRule to apache-shared-intranet for dev package installs
    
    As a simple alternative to the solution in bug 9949 or just as an
    additional measure, this patch adds a rewrite rule for intranet
    in order to intercept potential misuse of perl scripts that could be
    reached on a dev package install via the cgi-bin/koha scriptalias.
    
    It simply rewrites them to the nonexistent "notfound", resulting in a
    regular 404 error.
    
    The rewrite rule does not harm regular installs and is just a little extra
    step in securing a dev install. You should have more security measures in
    place to secure your staff client.
    
    QA Note: Although a rewrite rule may not be our first choice, this one
    rule is more elegant and easier to maintain than e.g. a whole bunch of
    aliases.
    
    Note: This patch should have a regular and a dev install signoff.
    
    Test plan:
    [1] Make sure that this rewrite rule is inserted in your actual apache
        config via /etc/koha/apache-shared-intranet.conf. Restart Apache.
    [2] For regular package installs:
        Try one of the URLs in step 3.
        Verify that your staff client still operates as usual. Test a few
        URLs inside some modules.
    [3] For dev installs:
        Try some URLs like below.
        Expect 404 errors only, not 500s. If you do not see a 404, go back!
        /misc/stage_file.pl
        /t/db_dependent/default_search_class.pl
        /installer/data/mysql/updatedatabase.pl
        /Makefile.PL
    [4] Do you see an additional directory to add to the regex? Please report.
    
    Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
    
    Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
    
    Signed-off-by: Joy Nelson <joy at bywatersolutions.com>

commit d3ba9dc0fe423347f0e0e90b66be3ebeb7a6dec1
Author: Tomas Cohen Arazi <tomascohen at theke.io>
Date:   Fri Mar 27 18:16:58 2020 -0300

    Bug 25009: Avoid leakages in opac-showmarc.pl
    
    This patch cleans opac-showmarc.pl so it doesn't allow retrieving
    records from import batches without requiring any permissions in the
    OPAC.
    
    it does so by just removing the code portion that does that.
    
    It also cleans the record fetch operation and how the record processor
    is initialized to it actually works :-D
    
    To test:
    1. Perform a successful Z39.50 search in cataloguing (this fetches 20
       records usually)
    2. Query your DB for a valid import_record_id:
      $ koha-mysql kohadev
      > SELECT * FROM import_records LIMIT 1;
    3. Notice some of the MARCXML details (title, author, etc), and the
       import_record_id
    4. Point your browser to the opac-showmarc.pl URL like this:
       http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20
    => FAIL: You get the record! (Bonus: no field/subfield takes place)
    5. Hide some obvious subfield on the framework for a known (to you)
       biblionumber
    6. Point your browser to:
       http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id=<biblionumber_here>
    => FAIL: No filtering takes place
    7. Apply this patch
    8. Repeat 4
    => SUCCESS: You get an error because you did a bad request (no id param)
    9. Repeat 6
    => SUCCESS: Subfield filtering actually works!
    10. Sign off :-D
    
    Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Joy Nelson <joy at bywatersolutions.com>

-----------------------------------------------------------------------

Summary of changes:
 debian/templates/apache-shared-intranet.conf |  3 ++
 opac/opac-showmarc.pl                        | 41 +++++++++++++++++-----------
 2 files changed, 28 insertions(+), 16 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list