[open-ils-commits] ***SPAM*** [GIT] Evergreen ILS branch rel_2_3 updated. a6e64bfe9ebd5d8512b490f757a09cf848e18805

Evergreen Git git at git.evergreen-ils.org
Thu Oct 3 10:55:04 EDT 2013 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_3 has been updated
       via  a6e64bfe9ebd5d8512b490f757a09cf848e18805 (commit)
       via  a97d5e0c87369a3ed9d23abf010ec368e8460e18 (commit)
       via  caa65873f6fa5e20b4a5bde84af3b4748bc3745a (commit)
       via  e8d713ddb980400998e30884f3443221e1662d8e (commit)
      from  9f35cdfbcde7abb2d76d73ca65aff4b736addc48 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a6e64bfe9ebd5d8512b490f757a09cf848e18805
Author: Galen Charlton <gmc at esilibrary.com>
Date:   Thu Sep 26 14:24:42 2013 -0700

    LP#1207281: require SSL when downloading offline patron list
    
    This patch builds on the previous one by forcing use of
    SSL for downloading the offline patron list.
    
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Bill Erickson <berick at esilibrary.com>

diff --git a/Open-ILS/examples/apache/eg_vhost.conf b/Open-ILS/examples/apache/eg_vhost.conf
index b437767..50e4986 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf
+++ b/Open-ILS/examples/apache/eg_vhost.conf
@@ -455,6 +455,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     require valid-user
     PerlSendHeader On
     allow from all
+    SSLRequireSSL
 </Location>
 
 # ----------------------------------------------------------------------------------
diff --git a/Open-ILS/xul/staff_client/chrome/content/main/menu.js b/Open-ILS/xul/staff_client/chrome/content/main/menu.js
index de871cd..d9db611 100644
--- a/Open-ILS/xul/staff_client/chrome/content/main/menu.js
+++ b/Open-ILS/xul/staff_client/chrome/content/main/menu.js
@@ -1320,7 +1320,7 @@ main.menu.prototype = {
                 function() {
                     try {
                         var x = new XMLHttpRequest();
-                        var url = 'http://' + XML_HTTP_SERVER + '/standalone/list.txt';
+                        var url = 'https://' + XML_HTTP_SERVER + '/standalone/list.txt';
                         x.open("GET",url,false);
                         x.send(null);
                         if (x.status == 200) {

commit a97d5e0c87369a3ed9d23abf010ec368e8460e18
Author: Michael Peters <mpeters at emeralddata.net>
Date:   Tue Sep 24 16:57:37 2013 -0400

    LP#1207281 Prevent download of offline patron list without authentication
    
    This patch addresses the vulnerability which allowed a user with the proper
    knowledge of the location of offline patron lists to download the file over
    regular HTTP without any staff credentials.
    
    This small addition to eg_vhost.conf.in will present users with a login prompt
    when trying to access the /standalone/ subdirectory on an Evergreen server.
    
    Users are able to download the patron list in the staff client as normal
    because they already have obtained credentials during the normal staff client
    authentication process.
    
    Signed-off-by: Michael Peters <mpeters at emeralddata.net>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Bill Erickson <berick at esilibrary.com>

diff --git a/Open-ILS/examples/apache/eg_vhost.conf b/Open-ILS/examples/apache/eg_vhost.conf
index b797832..b437767 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf
+++ b/Open-ILS/examples/apache/eg_vhost.conf
@@ -443,6 +443,19 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     allow from all
 </Location>
 
+# ----------------------------------------------------------------------------------
+# Protect Standalone/Offline mode files from public view
+# ----------------------------------------------------------------------------------
+<Location /standalone/>
+    AuthType Basic
+    AuthName "Standalone Mode Login"
+    PerlOptions +GlobalRequest
+    PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
+    PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+    require valid-user
+    PerlSendHeader On
+    allow from all
+</Location>
 
 # ----------------------------------------------------------------------------------
 # Reporting output lives here

commit caa65873f6fa5e20b4a5bde84af3b4748bc3745a
Author: Ben Shum <bshum at biblio.org>
Date:   Thu Oct 11 22:04:30 2012 -0400

    LP#1066141: add authtoken check and related permission for age to lost function
    
    The SET_CIRC_LOST permission is now required in order to invoke
    the open-ils.circ.circulation.age_to_lost method.
    
    Signed-off-by: Ben Shum <bshum at biblio.org>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Bill Erickson <berick at esilibrary.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
index 5c2a754..902cfef 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
@@ -269,6 +269,9 @@ __PACKAGE__->register_method(
 
 sub staff_age_to_lost {
     my( $self, $conn, $auth, $args ) = @_;
+    my $e = new_editor(authtoken=>$auth);
+    return $e->event unless $e->checkauth;
+    return $e->event unless $e->allowed('SET_CIRC_LOST', $args->{'circ_lib'});
 
     my $orgs = $U->get_org_descendants($args->{'circ_lib'});
     my $profiles = $U->fetch_permission_group_descendants($args->{'user_profile'});

commit e8d713ddb980400998e30884f3443221e1662d8e
Author: Jason Stephenson <jason at sigio.com>
Date:   Wed Jan 30 16:56:12 2013 -0500

    Fix an omission in the log redaction configuration.
    
    open-ils.actor.patron.password_reset.commit was omitted in the
    <log_protect> block of opensrf_core.xml.example.  This commit adds
    it and updates the release notes for 2.3 to include it.
    
    There is also a release notes file informing users that they need to
    edit opensrf_core.xml to address this issue.
    
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Bill Erickson <berick at esilibrary.com>

diff --git a/Open-ILS/examples/opensrf_core.xml.example b/Open-ILS/examples/opensrf_core.xml.example
index 7bc022f..76cacf1 100644
--- a/Open-ILS/examples/opensrf_core.xml.example
+++ b/Open-ILS/examples/opensrf_core.xml.example
@@ -179,6 +179,7 @@ Example OpenSRF bootstrap configuration file for Evergreen
       <match_string>open-ils.auth.authenticate.verify</match_string>
       <match_string>open-ils.auth.authenticate.complete</match_string>
       <match_string>open-ils.auth_proxy.login</match_string>
+      <match_string>open-ils.actor.patron.password_reset.commit</match_string>
       <match_string>open-ils.actor.user.password</match_string>
       <match_string>open-ils.actor.user.username</match_string>
       <match_string>open-ils.actor.user.email</match_string>
diff --git a/docs/RELEASE_NOTES_2_3.txt b/docs/RELEASE_NOTES_2_3.txt
index f6f2e5c..df35c62 100644
--- a/docs/RELEASE_NOTES_2_3.txt
+++ b/docs/RELEASE_NOTES_2_3.txt
@@ -21,6 +21,7 @@ in general activity logs, add the following XML chunk to the bottom of
       <match_string>open-ils.auth.authenticate.verify</match_string>
       <match_string>open-ils.auth.authenticate.complete</match_string>
       <match_string>open-ils.auth_proxy.login</match_string>
+      <match_string>open-ils.actor.patron.password_reset.commit</match_string>
       <match_string>open-ils.actor.user.password</match_string>
       <match_string>open-ils.actor.user.username</match_string>
       <match_string>open-ils.actor.user.email</match_string>
diff --git a/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt b/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
new file mode 100644
index 0000000..092d203
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt
@@ -0,0 +1,9 @@
+The previous log protect redaction instructions missed a method used
+by the patron initiated password reset system.  In order to fill this
+gap, you need to find the <log_protect> portion of your
+opensrf_core.xml file and add the following line:
+
+      <match_string>open-ils.actor.patron.password_reset.commit</match_string>
+
+You should see a number of similar lines already there in between
+<log_protect> and </log_protect>.

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/examples/apache/eg_vhost.conf             |   14 ++++++++++++++
 Open-ILS/examples/opensrf_core.xml.example         |    1 +
 .../src/perlmods/lib/OpenILS/Application/Circ.pm   |    3 +++
 .../xul/staff_client/chrome/content/main/menu.js   |    2 +-
 docs/RELEASE_NOTES_2_3.txt                         |    1 +
 .../password_reset_commit_not_secure.txt           |    9 +++++++++
 6 files changed, 29 insertions(+), 1 deletions(-)
 create mode 100644 docs/RELEASE_NOTES_NEXT/password_reset_commit_not_secure.txt


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list