[open-ils-commits] ***SPAM*** [GIT] Evergreen ILS branch rel_2_4 updated. 55459e8eab9b532694f6174dd7441f70107852ed
Evergreen Git
git at git.evergreen-ils.org
Thu Oct 3 10:54:42 EDT 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_4 has been updated
via 55459e8eab9b532694f6174dd7441f70107852ed (commit)
via 51f96e23aa401f113925063e615b1935c01e1f40 (commit)
via c6785be15aa635b227113a0992a42e43cf5b2d79 (commit)
via d31bc6cb9c26ac48ca2f64bef2f09e320a7f2f89 (commit)
from dba5d6389d5e64ee3240d1a643415d8e595c9cbc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 55459e8eab9b532694f6174dd7441f70107852ed
Author: Galen Charlton <gmc at esilibrary.com>
Date: Thu Sep 26 14:24:42 2013 -0700
LP#1207281: require SSL when downloading offline patron list
This patch builds on the previous one by forcing use of
SSL for downloading the offline patron list. It also
updates the Apache 2.4 example configuration.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in
index d640191..b8b750c 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache/eg_vhost.conf.in
@@ -499,6 +499,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
require valid-user
PerlSendHeader On
allow from all
+ SSLRequireSSL
</Location>
# ----------------------------------------------------------------------------------
diff --git a/Open-ILS/examples/apache_24/eg_vhost.conf.in b/Open-ILS/examples/apache_24/eg_vhost.conf.in
index f8537d4..eec9deb 100644
--- a/Open-ILS/examples/apache_24/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache_24/eg_vhost.conf.in
@@ -491,6 +491,20 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
Require all granted
</Location>
+# ----------------------------------------------------------------------------------
+# Protect Standalone/Offline mode files from public view
+# ----------------------------------------------------------------------------------
+<Location /standalone/>
+ AuthType Basic
+ AuthName "Standalone Mode Login"
+ PerlOptions +GlobalRequest
+ PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
+ PerlSendHeader On
+ allow from all
+ SSLRequireSSL
+</Location>
# ----------------------------------------------------------------------------------
# Reporting output lives here
diff --git a/Open-ILS/xul/staff_client/chrome/content/main/menu.js b/Open-ILS/xul/staff_client/chrome/content/main/menu.js
index aab9000..1aa293f 100644
--- a/Open-ILS/xul/staff_client/chrome/content/main/menu.js
+++ b/Open-ILS/xul/staff_client/chrome/content/main/menu.js
@@ -1383,7 +1383,7 @@ main.menu.prototype = {
function() {
try {
var x = new XMLHttpRequest();
- var url = 'http://' + XML_HTTP_SERVER + '/standalone/list.txt';
+ var url = 'https://' + XML_HTTP_SERVER + '/standalone/list.txt';
x.open("GET",url,false);
x.send(null);
if (x.status == 200) {
commit 51f96e23aa401f113925063e615b1935c01e1f40
Author: Michael Peters <mpeters at emeralddata.net>
Date: Tue Sep 24 16:57:37 2013 -0400
LP#1207281 Prevent download of offline patron list without authentication
This patch addresses the vulnerability which allowed a user with the proper
knowledge of the location of offline patron lists to download the file over
regular HTTP without any staff credentials.
This small addition to eg_vhost.conf.in will present users with a login prompt
when trying to access the /standalone/ subdirectory on an Evergreen server.
Users are able to download the patron list in the staff client as normal
because they already have obtained credentials during the normal staff client
authentication process.
Signed-off-by: Michael Peters <mpeters at emeralddata.net>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in
index bf58315..d640191 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache/eg_vhost.conf.in
@@ -487,6 +487,19 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
allow from all
</Location>
+# ----------------------------------------------------------------------------------
+# Protect Standalone/Offline mode files from public view
+# ----------------------------------------------------------------------------------
+<Location /standalone/>
+ AuthType Basic
+ AuthName "Standalone Mode Login"
+ PerlOptions +GlobalRequest
+ PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
+ PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+ require valid-user
+ PerlSendHeader On
+ allow from all
+</Location>
# ----------------------------------------------------------------------------------
# Reporting output lives here
commit c6785be15aa635b227113a0992a42e43cf5b2d79
Author: Ben Shum <bshum at biblio.org>
Date: Thu Oct 11 22:04:30 2012 -0400
LP#1066141: add authtoken check and related permission for age to lost function
The SET_CIRC_LOST permission is now required in order to invoke
the open-ils.circ.circulation.age_to_lost method.
Signed-off-by: Ben Shum <bshum at biblio.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
index 5549fec..cc64bcd 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
@@ -259,6 +259,9 @@ __PACKAGE__->register_method(
sub staff_age_to_lost {
my( $self, $conn, $auth, $args ) = @_;
+ my $e = new_editor(authtoken=>$auth);
+ return $e->event unless $e->checkauth;
+ return $e->event unless $e->allowed('SET_CIRC_LOST', $args->{'circ_lib'});
my $orgs = $U->get_org_descendants($args->{'circ_lib'});
my $profiles = $U->fetch_permission_group_descendants($args->{'user_profile'});
commit d31bc6cb9c26ac48ca2f64bef2f09e320a7f2f89
Author: Jason Stephenson <jason at sigio.com>
Date: Wed Jan 30 16:56:12 2013 -0500
Fix an omission in the log redaction configuration.
open-ils.actor.patron.password_reset.commit was omitted in the
<log_protect> block of opensrf_core.xml.example. This commit adds
it and updates the release notes for 2.3 to include it.
There is also a release notes file informing users that they need to
edit opensrf_core.xml to address this issue.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/examples/opensrf_core.xml.example b/Open-ILS/examples/opensrf_core.xml.example
index 6e0d675..d2ec8eb 100644
--- a/Open-ILS/examples/opensrf_core.xml.example
+++ b/Open-ILS/examples/opensrf_core.xml.example
@@ -180,6 +180,7 @@ Example OpenSRF bootstrap configuration file for Evergreen
<match_string>open-ils.auth.authenticate.verify</match_string>
<match_string>open-ils.auth.authenticate.complete</match_string>
<match_string>open-ils.auth_proxy.login</match_string>
+ <match_string>open-ils.actor.patron.password_reset.commit</match_string>
<match_string>open-ils.actor.user.password</match_string>
<match_string>open-ils.actor.user.username</match_string>
<match_string>open-ils.actor.user.email</match_string>
diff --git a/docs/RELEASE_NOTES_2_3.txt b/docs/RELEASE_NOTES_2_3.txt
index f6f2e5c..df35c62 100644
--- a/docs/RELEASE_NOTES_2_3.txt
+++ b/docs/RELEASE_NOTES_2_3.txt
@@ -21,6 +21,7 @@ in general activity logs, add the following XML chunk to the bottom of
<match_string>open-ils.auth.authenticate.verify</match_string>
<match_string>open-ils.auth.authenticate.complete</match_string>
<match_string>open-ils.auth_proxy.login</match_string>
+ <match_string>open-ils.actor.patron.password_reset.commit</match_string>
<match_string>open-ils.actor.user.password</match_string>
<match_string>open-ils.actor.user.username</match_string>
<match_string>open-ils.actor.user.email</match_string>
diff --git a/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt b/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
new file mode 100644
index 0000000..092d203
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
@@ -0,0 +1,9 @@
+The previous log protect redaction instructions missed a method used
+by the patron initiated password reset system. In order to fill this
+gap, you need to find the <log_protect> portion of your
+opensrf_core.xml file and add the following line:
+
+ <match_string>open-ils.actor.patron.password_reset.commit</match_string>
+
+You should see a number of similar lines already there in between
+<log_protect> and </log_protect>.
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/apache/eg_vhost.conf.in | 14 ++++++++++++++
Open-ILS/examples/apache_24/eg_vhost.conf.in | 14 ++++++++++++++
Open-ILS/examples/opensrf_core.xml.example | 1 +
.../src/perlmods/lib/OpenILS/Application/Circ.pm | 3 +++
.../xul/staff_client/chrome/content/main/menu.js | 2 +-
docs/RELEASE_NOTES_2_3.txt | 1 +
.../password_reset_commit_not_secure.txt | 9 +++++++++
7 files changed, 43 insertions(+), 1 deletions(-)
create mode 100644 docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list