[open-ils-commits] ***SPAM*** [GIT] Evergreen ILS branch master updated. 82ac0e6ea70f1b0b4607622b2c50b0b107b259b7
Evergreen Git
git at git.evergreen-ils.org
Thu Oct 3 10:49:50 EDT 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via 82ac0e6ea70f1b0b4607622b2c50b0b107b259b7 (commit)
via df6f41af195619d6c35ec4014a2d9b21e86a9205 (commit)
via adf0af2ffb2b1d05b966af999a6ed53af16b8aef (commit)
via f6985d59d48f9816c2d520dd84fd8defb4988a88 (commit)
from e6617bd153b81bb330b5b0a71a11cc4840db14a4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 82ac0e6ea70f1b0b4607622b2c50b0b107b259b7
Author: Galen Charlton <gmc at esilibrary.com>
Date: Thu Sep 26 14:24:42 2013 -0700
LP#1207281: require SSL when downloading offline patron list
This patch builds on the previous one by forcing use of
SSL for downloading the offline patron list. It also
updates the Apache 2.4 example configuration.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in
index 6d5a18e..1de2212 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache/eg_vhost.conf.in
@@ -488,6 +488,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
require valid-user
PerlSendHeader On
allow from all
+ SSLRequireSSL
</Location>
# ----------------------------------------------------------------------------------
diff --git a/Open-ILS/examples/apache_24/eg_vhost.conf.in b/Open-ILS/examples/apache_24/eg_vhost.conf.in
index 0d67b54..f530f29 100644
--- a/Open-ILS/examples/apache_24/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache_24/eg_vhost.conf.in
@@ -480,6 +480,20 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
Require all granted
</Location>
+# ----------------------------------------------------------------------------------
+# Protect Standalone/Offline mode files from public view
+# ----------------------------------------------------------------------------------
+<Location /standalone/>
+ AuthType Basic
+ AuthName "Standalone Mode Login"
+ PerlOptions +GlobalRequest
+ PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
+ PerlSendHeader On
+ allow from all
+ SSLRequireSSL
+</Location>
# ----------------------------------------------------------------------------------
# Reporting output lives here
diff --git a/Open-ILS/xul/staff_client/chrome/content/main/menu.js b/Open-ILS/xul/staff_client/chrome/content/main/menu.js
index b69ebec..2f16bfd 100644
--- a/Open-ILS/xul/staff_client/chrome/content/main/menu.js
+++ b/Open-ILS/xul/staff_client/chrome/content/main/menu.js
@@ -1391,7 +1391,7 @@ main.menu.prototype = {
function() {
try {
var x = new XMLHttpRequest();
- var url = 'http://' + XML_HTTP_SERVER + '/standalone/list.txt';
+ var url = 'https://' + XML_HTTP_SERVER + '/standalone/list.txt';
x.open("GET",url,false);
x.send(null);
if (x.status == 200) {
commit df6f41af195619d6c35ec4014a2d9b21e86a9205
Author: Michael Peters <mpeters at emeralddata.net>
Date: Tue Sep 24 16:57:37 2013 -0400
LP#1207281 Prevent download of offline patron list without authentication
This patch addresses the vulnerability which allowed a user with the proper
knowledge of the location of offline patron lists to download the file over
regular HTTP without any staff credentials.
This small addition to eg_vhost.conf.in will present users with a login prompt
when trying to access the /standalone/ subdirectory on an Evergreen server.
Users are able to download the patron list in the staff client as normal
because they already have obtained credentials during the normal staff client
authentication process.
Signed-off-by: Michael Peters <mpeters at emeralddata.net>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in
index 8835b7e..6d5a18e 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache/eg_vhost.conf.in
@@ -476,6 +476,19 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
allow from all
</Location>
+# ----------------------------------------------------------------------------------
+# Protect Standalone/Offline mode files from public view
+# ----------------------------------------------------------------------------------
+<Location /standalone/>
+ AuthType Basic
+ AuthName "Standalone Mode Login"
+ PerlOptions +GlobalRequest
+ PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
+ PerlSendHeader On
+ allow from all
+</Location>
# ----------------------------------------------------------------------------------
# Reporting output lives here
commit adf0af2ffb2b1d05b966af999a6ed53af16b8aef
Author: Ben Shum <bshum at biblio.org>
Date: Thu Oct 11 22:04:30 2012 -0400
LP#1066141: add authtoken check and related permission for age to lost function
The SET_CIRC_LOST permission is now required in order to invoke
the open-ils.circ.circulation.age_to_lost method.
Signed-off-by: Ben Shum <bshum at biblio.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
index e07f173..76f1cb0 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
@@ -259,6 +259,9 @@ __PACKAGE__->register_method(
sub staff_age_to_lost {
my( $self, $conn, $auth, $args ) = @_;
+ my $e = new_editor(authtoken=>$auth);
+ return $e->event unless $e->checkauth;
+ return $e->event unless $e->allowed('SET_CIRC_LOST', $args->{'circ_lib'});
my $orgs = $U->get_org_descendants($args->{'circ_lib'});
my $profiles = $U->fetch_permission_group_descendants($args->{'user_profile'});
commit f6985d59d48f9816c2d520dd84fd8defb4988a88
Author: Jason Stephenson <jason at sigio.com>
Date: Wed Jan 30 16:56:12 2013 -0500
Fix an omission in the log redaction configuration.
open-ils.actor.patron.password_reset.commit was omitted in the
<log_protect> block of opensrf_core.xml.example. This commit adds
it and updates the release notes for 2.3 to include it.
There is also a release notes file informing users that they need to
edit opensrf_core.xml to address this issue.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/examples/opensrf_core.xml.example b/Open-ILS/examples/opensrf_core.xml.example
index 6e0d675..d2ec8eb 100644
--- a/Open-ILS/examples/opensrf_core.xml.example
+++ b/Open-ILS/examples/opensrf_core.xml.example
@@ -180,6 +180,7 @@ Example OpenSRF bootstrap configuration file for Evergreen
<match_string>open-ils.auth.authenticate.verify</match_string>
<match_string>open-ils.auth.authenticate.complete</match_string>
<match_string>open-ils.auth_proxy.login</match_string>
+ <match_string>open-ils.actor.patron.password_reset.commit</match_string>
<match_string>open-ils.actor.user.password</match_string>
<match_string>open-ils.actor.user.username</match_string>
<match_string>open-ils.actor.user.email</match_string>
diff --git a/docs/RELEASE_NOTES_2_3.txt b/docs/RELEASE_NOTES_2_3.txt
index f6f2e5c..df35c62 100644
--- a/docs/RELEASE_NOTES_2_3.txt
+++ b/docs/RELEASE_NOTES_2_3.txt
@@ -21,6 +21,7 @@ in general activity logs, add the following XML chunk to the bottom of
<match_string>open-ils.auth.authenticate.verify</match_string>
<match_string>open-ils.auth.authenticate.complete</match_string>
<match_string>open-ils.auth_proxy.login</match_string>
+ <match_string>open-ils.actor.patron.password_reset.commit</match_string>
<match_string>open-ils.actor.user.password</match_string>
<match_string>open-ils.actor.user.username</match_string>
<match_string>open-ils.actor.user.email</match_string>
diff --git a/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt b/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
new file mode 100644
index 0000000..092d203
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
@@ -0,0 +1,9 @@
+The previous log protect redaction instructions missed a method used
+by the patron initiated password reset system. In order to fill this
+gap, you need to find the <log_protect> portion of your
+opensrf_core.xml file and add the following line:
+
+ <match_string>open-ils.actor.patron.password_reset.commit</match_string>
+
+You should see a number of similar lines already there in between
+<log_protect> and </log_protect>.
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/apache/eg_vhost.conf.in | 14 ++++++++++++++
Open-ILS/examples/apache_24/eg_vhost.conf.in | 14 ++++++++++++++
Open-ILS/examples/opensrf_core.xml.example | 1 +
.../src/perlmods/lib/OpenILS/Application/Circ.pm | 3 +++
.../xul/staff_client/chrome/content/main/menu.js | 2 +-
docs/RELEASE_NOTES_2_3.txt | 1 +
.../password_reset_commit_not_secure.txt | 9 +++++++++
7 files changed, 43 insertions(+), 1 deletions(-)
create mode 100644 docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list