[Koha-devel] Crashes on new Opac Recent Searches cookie in older Koha versions
Paul
paul.a at aandc.org
Sat Oct 12 00:16:47 CEST 2013
At 12:26 PM 10/11/2013 -0700, Galen Charlton wrote:
>On Thu, Oct 10, 2013 at 3:17 AM, Marcel de Rooy
><<mailto:M.de.Rooy at rijksmuseum.nl>M.de.Rooy at rijksmuseum.nl> wrote:
>I have been looking for these patches on Bugzilla, but I cannot find them.
[snip]
>The patches lack a bug number because of a chicken-and-egg problem, as the
>bug couldn't be posted before the patches and the release announcement were.
>These patches have a nasty side-effect. If you use an older Koha version
>and also current master on the same system for testing, the old Koha
>version will stumble over this (shared) cookie:
[snip]
>An alternative configuration which may better suit your needs is to use
>name-based virtual hosts rather than port-based ones, which will perforce
>ensure that the two versions don't share cookies.
[snip]
>Considering that the security release was made at the end of July, was
>targeted at supported *and* unsupported versions, and was heavily
>publicized, there is already a fair amount of negative data
"Name based" v. "port based", "Nasty side effects" and "negative data"
raise flags with me. I've just looked up bug 10657 which either blind-sides
me with science or baffles me with bull. "Storable" and references to
"checked for JSON-correctness and is ignored" are meaningless without context.
If there really is a security aspect would someone please explain it?
OFF-LIST if need be.
Many thanks - Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20131011/42a875c3/attachment.html>
More information about the Koha-devel
mailing list