[open-ils-commits] [GIT] Evergreen ILS branch rel_2_5 updated. 11da998ef6d37ac2f0184555d9b4fdeb96f5ea67
Evergreen Git
git at git.evergreen-ils.org
Tue Mar 3 17:56:21 EST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_5 has been updated
via 11da998ef6d37ac2f0184555d9b4fdeb96f5ea67 (commit)
via c74ac7878b901fa89e904b105907b5bb2d10639c (commit)
via e19eb6c864419474e97ef2a752a634ac991b0bbf (commit)
from c787b591d83be8880247966d4604478b04d6cb5a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 11da998ef6d37ac2f0184555d9b4fdeb96f5ea67
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Thu Feb 19 11:17:08 2015 -0500
LP#1424755: Add IMPORTANT SECURITY INFORMATION release note.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
new file mode 100644
index 0000000..03d83cd
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
@@ -0,0 +1,9 @@
+IMPORTANT SECURITY INFORMATION
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+A serious security flaw that allows unauthorized remote access to
+organizational unit settings is fixed in the following releases of
+Evergreen: 2.5.9, 2.6.7, and 2.7.4. All prior releases of Evergreen
+are vulnerable to exploitation of this flaw to reveal sensitive system
+information. If you are running a vulnerable release of Evergreen you
+are *strongly* encouraged to upgrade to a non-vulnerable release as
+soon as possible.
commit c74ac7878b901fa89e904b105907b5bb2d10639c
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Wed Feb 18 16:28:31 2015 -0500
LP#1424755: Org Unit Setting view permissions can be bypassed
Fix private org. unit setting leakage by forcing the $auth argument
to true if not passed in when open-ils.actor.ou_setting.ancestor_default
or open-ils.actor.ou_setting.ancestor_default.batch are called.
Other than a change to the desc of the public methods to reflect that
they now check permissions if permissions are required, there are no
required api changes to the back or the front ends.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 9c9efc4..1fc1750 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -269,8 +269,9 @@ __PACKAGE__->register_method(
method => 'ou_ancestor_setting',
signature => {
desc => 'Get the org unit setting value associated with the setting name as seen from the specified org unit. ' .
- 'IF AND ONLY IF an authentication token is provided, this method will make sure that the given ' .
- 'user has permission to view that setting, if there is a permission associated with the setting.' ,
+ 'This method will make sure that the given user has permission to view that setting, if there is a ' .
+ 'permission associated with the setting. If a permission is required and no authtoken is given, or ' .
+ 'the user lacks the permisssion, undef will be returned.' ,
params => [
{ desc => 'Org unit ID', type => 'number' },
{ desc => 'setting name', type => 'string' },
@@ -289,6 +290,8 @@ __PACKAGE__->register_method(
# ------------------------------------------------------------------
sub ou_ancestor_setting {
my( $self, $client, $orgid, $name, $auth ) = @_;
+ # Make sure $auth is set to something if not given.
+ $auth ||= -1;
return $U->ou_ancestor_setting($orgid, $name, undef, $auth);
}
@@ -297,8 +300,9 @@ __PACKAGE__->register_method(
method => 'ou_ancestor_setting_batch',
signature => {
desc => 'Get org unit setting name => value pairs for a list of names, as seen from the specified org unit. ' .
- 'IF AND ONLY IF an authentication token is provided, this method will make sure that the given ' .
- 'user has permission to view that setting, if there is a permission associated with the setting.' ,
+ 'This method will make sure that the given user has permission to view that setting, if there is a ' .
+ 'permission associated with the setting. If a permission is required and no authtoken is given, or ' .
+ 'the user lacks the permisssion, undef will be returned.' ,
params => [
{ desc => 'Org unit ID', type => 'number' },
{ desc => 'setting name list', type => 'array' },
@@ -309,6 +313,8 @@ __PACKAGE__->register_method(
);
sub ou_ancestor_setting_batch {
my( $self, $client, $orgid, $name_list, $auth ) = @_;
+ # Make sure $auth is set to something if not given.
+ $auth ||= -1;
my %values;
$values{$_} = $U->ou_ancestor_setting($orgid, $_, undef, $auth) for @$name_list;
return \%values;
commit e19eb6c864419474e97ef2a752a634ac991b0bbf
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Tue Feb 24 14:05:16 2015 -0500
LP#1206589: Temporary Fix for Org. Unit Settings History Bug
This commit makes two changes to the coustl IDL entry.
1. It adds a retrieve permission of STAFF_LOGIN. This at least
requires someone with staff permission to be able to view settings
history.
2. It fixed the primary key field from date_applied to id. The
prior setting was just an outright error.
NOTE: This is intended as a short term fix for the Library Settings
Editor history feature.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Ben Shum <bshum at biblio.org>
diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index 88a79f0..f67193e 100644
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -10850,7 +10850,7 @@ SELECT usr,
</class>
<class id="coustl" controller="open-ils.cstore open-ils.pcrud" oils_obj:fieldmapper="config::org_unit_setting_type_log" oils_persist:tablename="config.org_unit_setting_type_log" reporter:label="Organizational Unit Setting Type Log">
- <fields oils_persist:primary="date_applied" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
+ <fields oils_persist:primary="id" oils_persist:sequence="config.org_unit_setting_type_log_id_seq">
<field reporter:label="ID" name="id" reporter:datatype="id"/>
<field name="date_applied" reporter:datatype="timestamp"/>
<field name="org" reporter:datatype="org_unit"/>
@@ -10865,7 +10865,7 @@ SELECT usr,
<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
<actions>
<create permission="ADMIN_ORG_UNIT_SETTING_TYPE" context_field="org"/>
- <retrieve/>
+ <retrieve permission="STAFF_LOGIN" context_field="org"/>
<update permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
<delete permission="ADMIN_ORG_UNIT_SETTING_TYPE_LOG" context_field="org"/>
</actions>
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/fm_IDL.xml | 4 ++--
.../src/perlmods/lib/OpenILS/Application/Actor.pm | 14 ++++++++++----
docs/RELEASE_NOTES_NEXT/security-bug-fix.txt | 9 +++++++++
3 files changed, 21 insertions(+), 6 deletions(-)
create mode 100644 docs/RELEASE_NOTES_NEXT/security-bug-fix.txt
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list