[koha-commits] main Koha release repository branch master updated. v19.11.00-1471-ge87908078f
Git repo owner
gitmaster at git.koha-community.org
Thu Mar 26 13:02:11 CET 2020
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via e87908078fe7866f6a31815d41e4c9409de57719 (commit)
via d2b2c61ff99c660be510339b8d83e719b9e054e4 (commit)
via 649bfe1ee2dc4825d44e7d9d200e8a21f8d8d430 (commit)
from 6902efac2263d839f6468b62a18baf0182d81e38 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e87908078fe7866f6a31815d41e4c9409de57719
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Tue Mar 17 11:37:12 2020 +0100
Bug 24878: Add auth check for copy-holidays
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit d2b2c61ff99c660be510339b8d83e719b9e054e4
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Mon Mar 16 16:26:48 2020 +0100
Bug 24878: Add authentication checks to the calendar tool
There is a security hole in 2 scripts that are used by the UI to edit
holidays.
To test:
1) Go to Tools -> Calendar, for Centerville
Check no holiday for 30/4/2020
2) To add a new holiday without login execute
a curl command with necessary parameters
3) Reload page from 1), verify the new holiday
edit and delete the holiday
4) Apply the patch
5) Do 2) again, this time you get a lengthy output,
with the magic words:
<title>Koha ›
Log in to Koha
</title>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
commit 649bfe1ee2dc4825d44e7d9d200e8a21f8d8d430
Author: David Cook <dcook at prosentient.com.au>
Date: Mon Feb 17 06:50:49 2020 +0000
Bug 24673: Add CSRF token support to opac-messaging.pl
This patch adds CSRF token support to opac-messaging.pl,
which allows users to manually update their messaging preferences,
but prevents bad actors from tricking people into updating their
preferences from cross-site requests.
Test plan:
0. Set SMSSendDriver global system preference to "Test" if unset
1. Log into the OPAC
2. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
3. Observe that the preference and SMS number update
4. Apply the patch
5. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
6. Observe that you get an error message of "Wrong CSRF token" instead
of the previous behaviour
7. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl
8. Update "Advance notice" to 3 and update "SMS number" to 61111111111
9. Observe that the "Advance notice" and "SMS number" fields update
correctly
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt | 1 +
opac/opac-messaging.pl | 13 +++++++++++++
tools/copy-holidays.pl | 2 ++
tools/exceptionHolidays.pl | 3 +++
tools/newHolidays.pl | 2 ++
5 files changed, 21 insertions(+)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list