[open-ils-commits] [GIT] Evergreen ILS branch rel_2_7 updated. a9fe81b813d8bc92b71a800e54e8ba8759c69df0
Evergreen Git
git at git.evergreen-ils.org
Tue Mar 3 17:53:52 EST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_7 has been updated
via a9fe81b813d8bc92b71a800e54e8ba8759c69df0 (commit)
via e2a16e576e443084493fc0c327fb8fb80a9e1c51 (commit)
via 928094b536189fc2c7896d67ab6b97f3f241022b (commit)
from 0a2fe2443981e28ff84a35d7a4188071f114a1fd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a9fe81b813d8bc92b71a800e54e8ba8759c69df0
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Thu Feb 19 11:17:08 2015 -0500
LP#1424755: Add IMPORTANT SECURITY INFORMATION release note.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
new file mode 100644
index 0000000..03d83cd
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
@@ -0,0 +1,9 @@
+IMPORTANT SECURITY INFORMATION
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+A serious security flaw that allows unauthorized remote access to
+organizational unit settings is fixed in the following releases of
+Evergreen: 2.5.9, 2.6.7, and 2.7.4. All prior releases of Evergreen
+are vulnerable to exploitation of this flaw to reveal sensitive system
+information. If you are running a vulnerable release of Evergreen you
+are *strongly* encouraged to upgrade to a non-vulnerable release as
+soon as possible.
commit e2a16e576e443084493fc0c327fb8fb80a9e1c51
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Wed Feb 18 16:28:31 2015 -0500
LP#1424755: Org Unit Setting view permissions can be bypassed
Fix private org. unit setting leakage by forcing the $auth argument
to true if not passed in when open-ils.actor.ou_setting.ancestor_default
or open-ils.actor.ou_setting.ancestor_default.batch are called.
Other than a change to the desc of the public methods to reflect that
they now check permissions if permissions are required, there are no
required api changes to the back or the front ends.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index be97787..742ecce 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -269,8 +269,9 @@ __PACKAGE__->register_method(
method => 'ou_ancestor_setting',
signature => {
desc => 'Get the org unit setting value associated with the setting name as seen from the specified org unit. ' .
- 'IF AND ONLY IF an authentication token is provided, this method will make sure that the given ' .
- 'user has permission to view that setting, if there is a permission associated with the setting.' ,
+ 'This method will make sure that the given user has permission to view that setting, if there is a ' .
+ 'permission associated with the setting. If a permission is required and no authtoken is given, or ' .
+ 'the user lacks the permisssion, undef will be returned.' ,
params => [
{ desc => 'Org unit ID', type => 'number' },
{ desc => 'setting name', type => 'string' },
@@ -289,6 +290,8 @@ __PACKAGE__->register_method(
# ------------------------------------------------------------------
sub ou_ancestor_setting {
my( $self, $client, $orgid, $name, $auth ) = @_;
+ # Make sure $auth is set to something if not given.
+ $auth ||= -1;
return $U->ou_ancestor_setting($orgid, $name, undef, $auth);
}
@@ -297,8 +300,9 @@ __PACKAGE__->register_method(
method => 'ou_ancestor_setting_batch',
signature => {
desc => 'Get org unit setting name => value pairs for a list of names, as seen from the specified org unit. ' .
- 'IF AND ONLY IF an authentication token is provided, this method will make sure that the given ' .
- 'user has permission to view that setting, if there is a permission associated with the setting.' ,
+ 'This method will make sure that the given user has permission to view that setting, if there is a ' .
+ 'permission associated with the setting. If a permission is required and no authtoken is given, or ' .
+ 'the user lacks the permisssion, undef will be returned.' ,
params => [
{ desc => 'Org unit ID', type => 'number' },
{ desc => 'setting name list', type => 'array' },
@@ -309,6 +313,8 @@ __PACKAGE__->register_method(
);
sub ou_ancestor_setting_batch {
my( $self, $client, $orgid, $name_list, $auth ) = @_;
+ # Make sure $auth is set to something if not given.
+ $auth ||= -1;
my %values;
$values{$_} = $U->ou_ancestor_setting($orgid, $_, undef, $auth) for @$name_list;
return \%values;
commit 928094b536189fc2c7896d67ab6b97f3f241022b
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Tue Feb 24 14:05:16 2015 -0500
LP#1206589: Temporary Fix for Org. Unit Settings History Bug
This commit makes two changes to the coustl IDL entry.
1. It adds a retrieve permission of STAFF_LOGIN. This at least
requires someone with staff permission to be able to view settings
history.
2. It fixed the primary key field from date_applied to id. The
prior setting was just an outright error.
NOTE: This is intended as a short term fix for the Library Settings
Editor history feature.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index ec2086a..65debee 100644
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -11083,7 +11083,7 @@ SELECT usr,
</class>
<class id="coustl" controller="open-ils.cstore open-ils.pcrud" oils_obj:fieldmapper="config::org_unit_setting_type_log" oils_persist:tablename="config.org_unit_setting_type_log" reporter:label="Organizational Unit Setting Type Log">
- <fields oils_persist:primary="date_applied" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
+ <fields oils_persist:primary="id" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
<field reporter:label="ID" name="id" reporter:datatype="id"/>
<field name="date_applied" reporter:datatype="timestamp"/>
<field name="org" reporter:datatype="org_unit"/>
@@ -11098,7 +11098,7 @@ SELECT usr,
<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
<actions>
<create permission="ADMIN_ORG_UNIT_SETTING_TYPE" context_field="org"/>
- <retrieve/>
+ <retrieve permission="STAFF_LOGIN" context_field="org"/>
<update permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
<delete permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
</actions>
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/fm_IDL.xml | 4 ++--
.../src/perlmods/lib/OpenILS/Application/Actor.pm | 14 ++++++++++----
docs/RELEASE_NOTES_NEXT/security-bug-fix.txt | 9 +++++++++
3 files changed, 21 insertions(+), 6 deletions(-)
create mode 100644 docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list