[koha-commits] main Koha release repository branch master updated. v19.11.00-897-gd7407055a8
Git repo owner
gitmaster at git.koha-community.org
Tue Feb 25 15:10:46 CET 2020
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via d7407055a891e723c7840739ff277b699668a56d (commit)
via 2061132e457b85f780a5b77f5272db6b707ad7ea (commit)
via 7a4dc6c8ed1d21343fc101366e1d299bcd92fb45 (commit)
via a01e5132c15d4a7241a9926b326566248367881f (commit)
via 306ed2fb6f49b79139a346c70f253509af29c7af (commit)
via 404fbeee729f624c1b3b7d2bfb02f9d538e4319f (commit)
via 801693096c6024099c5fb251d56fcf36509127e5 (commit)
via a69df1fe611ebc3d77692bc3d1c1c52ec6d79a90 (commit)
via f6bb3eb4787ce2208347b3b066392ee1bf2432cf (commit)
via 7baa8d349c40d444f917396e5762165b358a26b9 (commit)
via 269c0bf2174afbee272aaf9b74571a4c04641bbf (commit)
via 9ae9e5aade44c508e2fa0ed0fdc22f4db636ae50 (commit)
via 322fbf151b0e5bd0f2e68a6d7e8157d1aa12910d (commit)
from 884ab0d98e54d3a9f5229e2d21fd234dddf298b0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d7407055a891e723c7840739ff277b699668a56d
Author: Ere Maijala <ere.maijala at helsinki.fi>
Date: Fri Feb 7 13:49:46 2020 +0200
Bug 22522: Fix several REST API tests
Fixes among others the invalid use of json_has() which caused broken tests to pass with older Mojolicious versions.
Signed-off-by: Mason James <mason at kohaaloha.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 2061132e457b85f780a5b77f5272db6b707ad7ea
Author: Mason James <mtj at kohaaloha.com>
Date: Tue Feb 4 17:20:27 2020 +1300
Bug 22522: Fix route typo
Signed-off-by: Mason James <mason at kohaaloha.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 7a4dc6c8ed1d21343fc101366e1d299bcd92fb45
Author: Ere Maijala <ere.maijala at helsinki.fi>
Date: Wed Jan 29 13:24:15 2020 +0200
Bug 22522: Add support for current Mojolicious and related packages
This patch allows tests to succeed with the following versions:
JSON::Validator 3.18
Mojolicious 8.32
Mojolicious::Plugin::OpenAPI 2.21
Also Mojolicious::Plugin::OpenAPI version 1.17 and later 1.x versions now work.
Calling valid_input in under() would cause ' Use of uninitialized value $_[2] ' in more recent OpenAPI plugins, so that was changed too. As far as I can see this does not affect authorization.
Signed-off-by: Mason James <mason at kohaaloha.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit a01e5132c15d4a7241a9926b326566248367881f
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Mon Jan 27 14:06:36 2020 +0000
Bug 23290: (QA follow-up) Rename option to expand_entities_unsafe
When you enable options marked as unsafe, we hope that you know what
you are doing. You should, while having access to koha-conf.xml.
Test plan:
Verify that Security.t still passes.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 306ed2fb6f49b79139a346c70f253509af29c7af
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Jan 17 10:30:16 2020 +0000
Bug 23290: (follow-up) Replace warning_like by warnings_like
Security.t does not pass anymore ;)
Due to bug 23290 the tests now trigger an additional runtime error that
we should also catch to let the tests pass again.
Test plan:
Run t/db_dependent/Koha/XSLT/Security.t
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 404fbeee729f624c1b3b7d2bfb02f9d538e4319f
Author: David Cook <dcook at prosentient.com.au>
Date: Tue Nov 19 13:56:30 2019 +0000
Bug 23290: Add test for write_net
Test plan:
Run t/db_dependent/Koha/XSLT/Security.t
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 801693096c6024099c5fb251d56fcf36509127e5
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Nov 15 13:19:50 2019 +0000
Bug 23290: Add test Koha/XSLT/Security.t
Test plan:
Run it!
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit a69df1fe611ebc3d77692bc3d1c1c52ec6d79a90
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Jan 17 11:01:14 2020 +0000
Bug 23290: (follow-up) Disable expand_entities unless explicitly enabled
This follow-up refines the change made in the former patch.
See also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838097
https://rt.cpan.org/Public/Bug/Display.html?id=118032
We do not want to depend now on the exact LibXML version, so we will
disable expand_entities unless it is explicitly enabled via the config
variable koha_xslt_security. (Allowing us to test if bad things will be
caught.)
The options key is now always added to the Security object.
The return from set_parser_options has been removed to allow disabling when
there is no koha-conf entry (which probably is the normal situation).
Test plan:
[1] Test the first example patch with and without the other patches (excl.
the second example). Toggle expand_entities in koha-conf. Restart
Plack and flush the cache each time. Evaluate results with the
commit message of first example.
[2] Test both example patches with/without other patches.
Toggle expand_entities. Restart etc. Evaluate results with commit
message of second example (check tmp/breached.txt).
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit f6bb3eb4787ce2208347b3b066392ee1bf2432cf
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Nov 15 12:41:32 2019 +0000
Bug 23290: Allow enabling expand_entities
Since libxml2 disables it now by default, we need to enable it for testing.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 7baa8d349c40d444f917396e5762165b358a26b9
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Nov 15 11:04:53 2019 +0000
Bug 23290: Apply the changes in Security to Base now
Until now Base did not yet use Security. The security lines are removed
from Base here by calls to Security.
A new test must be added still.
Test plan:
Ensure that t/db_dependent/XSLT_Handler.t still passes.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 269c0bf2174afbee272aaf9b74571a4c04641bbf
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Nov 15 10:59:40 2019 +0000
Bug 23290: Introduce Koha::XSLT::Security
Also adds a temporary stub for Koha::XSLT_Handler referring to Base.
This will be removed later.
Test plan:
Run t/db_dependent/XSLT_Handler.t
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 9ae9e5aade44c508e2fa0ed0fdc22f4db636ae50
Author: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Date: Fri Nov 15 10:55:50 2019 +0000
Bug 23290: Rename XSLT_Handler
This is just a git move. Cannot be tested. (Easier for QA.)
The next patch adjusts paths etc. in the module.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: David Cook <dcook at prosentient.com.au>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 322fbf151b0e5bd0f2e68a6d7e8157d1aa12910d
Author: David Cook <dcook at prosentient.com.au>
Date: Thu May 23 16:53:57 2019 +1000
Bug 23290: XSLT system preferences allow administrators to exploit XML and XSLT vulnerabilities
The problem is that administrators can provide XSLTs that
can read from the server and network and write to the server. The
This patch prevents the Koha::XSLT_Handler from running
XSLT stylesheets that call actions such as read_file, write_file,
read_net, and write_net as documented at
https://metacpan.org/pod/XML::LibXSLT#XML::LibXSLT::Security
(Previous tests suggested issues with XML external entities
causing read file like vulnerabilities but these were not
reproducible)
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
-----------------------------------------------------------------------
Summary of changes:
Koha/REST/V1/Auth.pm | 10 +-
Koha/{XSLT_Handler.pm => XSLT/Base.pm} | 34 ++-
Koha/XSLT/Security.pm | 170 ++++++++++++
Koha/XSLT_Handler.pm | 346 +------------------------
api/v1/swagger/x-primitives.json | 2 +-
t/db_dependent/Koha/REST/Plugin/Objects.t | 35 ++-
t/db_dependent/Koha/REST/Plugin/PluginRoutes.t | 16 +-
t/db_dependent/Koha/XSLT/Security.t | 132 ++++++++++
t/db_dependent/api/v1/acquisitions_orders.t | 43 ++-
t/db_dependent/api/v1/holds.t | 6 +-
t/db_dependent/api/v1/libraries.t | 13 +-
t/db_dependent/api/v1/patrons.t | 14 +-
t/db_dependent/api/v1/patrons_password.t | 4 +-
13 files changed, 431 insertions(+), 394 deletions(-)
copy Koha/{XSLT_Handler.pm => XSLT/Base.pm} (92%)
create mode 100644 Koha/XSLT/Security.pm
create mode 100644 t/db_dependent/Koha/XSLT/Security.t
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list