[open-ils-commits] [GIT] Evergreen ILS branch rel_2_6 updated. 2ed6cb0a76bd9df156e7f1350af95167f0dbbe24

Evergreen Git git at git.evergreen-ils.org
Tue Mar 3 17:55:35 EST 2015


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_6 has been updated
       via  2ed6cb0a76bd9df156e7f1350af95167f0dbbe24 (commit)
       via  e62f3e9745858ab06e849240f29a0d8b9bd8fd2e (commit)
       via  c34ffd35bbc717abd326532f70403b78b5e34e2b (commit)
      from  9fac38cc9cb52faf4038b04ebbe2389c60e64b22 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2ed6cb0a76bd9df156e7f1350af95167f0dbbe24
Author: Jason Stephenson <jstephenson at mvlc.org>
Date:   Thu Feb 19 11:17:08 2015 -0500

    LP#1424755: Add IMPORTANT SECURITY INFORMATION release note.
    
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Ben Shum <bshum at biblio.org>

diff --git a/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
new file mode 100644
index 0000000..03d83cd
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
@@ -0,0 +1,9 @@
+IMPORTANT SECURITY INFORMATION
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+A serious security flaw that allows unauthorized remote access to
+organizational unit settings is fixed in the following releases of
+Evergreen: 2.5.9, 2.6.7, and 2.7.4.  All prior releases of Evergreen
+are vulnerable to exploitation of this flaw to reveal sensitive system
+information.  If you are running a vulnerable release of Evergreen you
+are *strongly* encouraged to upgrade to a non-vulnerable release as
+soon as possible.

commit e62f3e9745858ab06e849240f29a0d8b9bd8fd2e
Author: Jason Stephenson <jstephenson at mvlc.org>
Date:   Wed Feb 18 16:28:31 2015 -0500

    LP#1424755: Org Unit Setting view permissions can be bypassed
    
    Fix private org. unit setting leakage by forcing the $auth argument
    to true if not passed in when open-ils.actor.ou_setting.ancestor_default
    or open-ils.actor.ou_setting.ancestor_default.batch are called.
    
    Other than a change to the desc of the public methods to reflect that
    they now check permissions if permissions are required, there are no
    required api changes to the back or the front ends.
    
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>
    Signed-off-by: Ben Shum <bshum at biblio.org>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 9c9efc4..1fc1750 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -269,8 +269,9 @@ __PACKAGE__->register_method(
     method    => 'ou_ancestor_setting',
     signature => {
         desc => 'Get the org unit setting value associated with the setting name as seen from the specified org unit.  ' .
-                'IF AND ONLY IF an authentication token is provided, this method will make sure that the given '         .
-                'user has permission to view that setting, if there is a permission associated with the setting.'        ,
+                'This method will make sure that the given user has permission to view that setting, if there is a '     .
+                'permission associated with the setting.  If a permission is required and no authtoken is given, or '     .
+                'the user lacks the permisssion, undef will be returned.'       ,
         params => [
             { desc => 'Org unit ID',          type => 'number' },
             { desc => 'setting name',         type => 'string' },
@@ -289,6 +290,8 @@ __PACKAGE__->register_method(
 # ------------------------------------------------------------------
 sub ou_ancestor_setting {
     my( $self, $client, $orgid, $name, $auth ) = @_;
+    # Make sure $auth is set to something if not given.
+    $auth ||= -1;
     return $U->ou_ancestor_setting($orgid, $name, undef, $auth);
 }
 
@@ -297,8 +300,9 @@ __PACKAGE__->register_method(
     method    => 'ou_ancestor_setting_batch',
     signature => {
         desc => 'Get org unit setting name => value pairs for a list of names, as seen from the specified org unit.  ' .
-                'IF AND ONLY IF an authentication token is provided, this method will make sure that the given '       .
-                'user has permission to view that setting, if there is a permission associated with the setting.'      ,
+                'This method will make sure that the given user has permission to view that setting, if there is a '     .
+                'permission associated with the setting.  If a permission is required and no authtoken is given, or '     .
+                'the user lacks the permisssion, undef will be returned.'       ,
         params => [
             { desc => 'Org unit ID',          type => 'number' },
             { desc => 'setting name list',    type => 'array'  },
@@ -309,6 +313,8 @@ __PACKAGE__->register_method(
 );
 sub ou_ancestor_setting_batch {
     my( $self, $client, $orgid, $name_list, $auth ) = @_;
+    # Make sure $auth is set to something if not given.
+    $auth ||= -1;
     my %values;
     $values{$_} = $U->ou_ancestor_setting($orgid, $_, undef, $auth) for @$name_list;
     return \%values;

commit c34ffd35bbc717abd326532f70403b78b5e34e2b
Author: Jason Stephenson <jstephenson at mvlc.org>
Date:   Tue Feb 24 14:05:16 2015 -0500

    LP#1206589: Temporary Fix for Org. Unit Settings History Bug
    
    This commit makes two changes to the coustl IDL entry.
    
    1. It adds a retrieve permission of STAFF_LOGIN.  This at least
    requires someone with staff permission to be able to view settings
    history.
    
    2. It fixed the primary key field from date_applied to id.  The
    prior setting was just an outright error.
    
    NOTE: This is intended as a short term fix for the Library Settings
    Editor history feature.
    
    Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
    Signed-off-by: Ben Shum <bshum at biblio.org>

diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index 0bb934c..9927f56 100644
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -10943,7 +10943,7 @@ SELECT  usr,
 	</class>
 
 	<class id="coustl" controller="open-ils.cstore open-ils.pcrud" oils_obj:fieldmapper="config::org_unit_setting_type_log" oils_persist:tablename="config.org_unit_setting_type_log" reporter:label="Organizational Unit Setting Type Log">
-		<fields oils_persist:primary="date_applied" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
+		<fields oils_persist:primary="id" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
 			<field reporter:label="ID" name="id" reporter:datatype="id"/>
 			<field name="date_applied" reporter:datatype="timestamp"/>
 			<field name="org" reporter:datatype="org_unit"/>
@@ -10958,7 +10958,7 @@ SELECT  usr,
 		<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
 			<actions>
 				<create permission="ADMIN_ORG_UNIT_SETTING_TYPE" context_field="org"/>
-				<retrieve/>
+				<retrieve permission="STAFF_LOGIN" context_field="org"/>
 				<update permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
 				<delete permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
 			</actions>

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/examples/fm_IDL.xml                       |    4 ++--
 .../src/perlmods/lib/OpenILS/Application/Actor.pm  |   14 ++++++++++----
 docs/RELEASE_NOTES_NEXT/security-bug-fix.txt       |    9 +++++++++
 3 files changed, 21 insertions(+), 6 deletions(-)
 create mode 100644 docs/RELEASE_NOTES_NEXT/security-bug-fix.txt


hooks/post-receive
-- 
Evergreen ILS


More information about the open-ils-commits mailing list