[open-ils-commits] [GIT] Evergreen ILS branch rel_2_10 updated. 394b8718c157cb9f02babcecf1e2f6c666b761da
Evergreen Git
git at git.evergreen-ils.org
Wed May 24 15:41:47 EDT 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_10 has been updated
via 394b8718c157cb9f02babcecf1e2f6c666b761da (commit)
via ea734cd436d87e5538c30fc0040e2c08a130c9b5 (commit)
via 9bec49dc88dae6b5b452d98ed222bdfcd4f95630 (commit)
via 472bd5ae1486fc0349581b02e666d0e8b8d5c143 (commit)
from b01ca85655e3a0272a21883e7d600aa422c0ce53 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 394b8718c157cb9f02babcecf1e2f6c666b761da
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:37:26 2017 -0400
update upgrade instructions for 2.10.12
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/installation/server_upgrade.txt b/docs/installation/server_upgrade.txt
index 34d784d..18260f9 100644
--- a/docs/installation/server_upgrade.txt
+++ b/docs/installation/server_upgrade.txt
@@ -8,7 +8,7 @@ Software Prerequisites
* **PostgreSQL**: Version 9.3 is recommended. The minimum supported version
is 9.1.
- * **Linux**: Evergreen 2.10.11 has been tested on Debian Jessie (8.0),
+ * **Linux**: Evergreen 2.10.12 has been tested on Debian Jessie (8.0),
Debian Wheezy (7.0), Ubuntu Trusty Tahr (14.04),
Ubuntu Precise Pangolin (12.04), and Fedora.
If you are running an older version of these distributions, you may want
@@ -44,12 +44,12 @@ osrf_control --localhost --stop-all
.. Back up the /openils directory.
. Upgrade OpenSRF. Download and install the latest version of OpenSRF from
the https://evergreen-ils.org/opensrf-downloads/[OpenSRF download page].
-. As the *opensrf* user, download and extract Evergreen 2.10.11:
+. As the *opensrf* user, download and extract Evergreen 2.10.12:
+
[source, bash]
-----------------------------------------------
-wget https://evergreen-ils.org/downloads/Evergreen-ILS-2.10.11.tar.gz
-tar xzf Evergreen-ILS-2.10.11.tar.gz
+wget https://evergreen-ils.org/downloads/Evergreen-ILS-2.10.12.tar.gz
+tar xzf Evergreen-ILS-2.10.12.tar.gz
-----------------------------------------------
+
[NOTE]
@@ -59,7 +59,7 @@ For the latest edition of Evergreen, check the https://evergreen-ils.org/egdownl
+
[source, bash]
---------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.10.11
+cd /home/opensrf/Evergreen-ILS-2.10.12
---------------------------------------------
+
On the next command, replace `[distribution]` with one of these values for your
@@ -84,7 +84,7 @@ make -f Open-ILS/src/extras/Makefile.install [distribution]
+
[source, bash]
------------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.10.11
+cd /home/opensrf/Evergreen-ILS-2.10.12
PATH=/openils/bin:$PATH ./configure --prefix=/openils --sysconfdir=/openils/conf
make
------------------------------------------------------------
@@ -95,8 +95,8 @@ These instructions assume that you have also installed OpenSRF under /openils/.
+
[source, bash]
------------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.10.11
-make STAFF_CLIENT_STAMP_ID=rel_2_10_11 install
+cd /home/opensrf/Evergreen-ILS-2.10.12
+make STAFF_CLIENT_STAMP_ID=rel_2_10_12 install
------------------------------------------------------------
+
. As the *root* user, change all files to be owned by the opensrf user and group:
@@ -112,7 +112,7 @@ chown -R opensrf:opensrf /openils
-----------------------------------------------------------
cd /openils/var/web/xul/
rm server
-ln -sf rel_2_10_11/server server
+ln -sf rel_2_10_12/server server
----------------------------------------------------------
+
. As the *opensrf* user, update opensrf_core.xml and opensrf.xml by copying the
@@ -132,7 +132,7 @@ Copying these configuration files will remove any customizations you have made t
+
[source, bash]
-------------------------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.10.11
+cd /home/opensrf/Evergreen-ILS-2.10.12
perl Open-ILS/src/support-scripts/eg_db_config --update-config --service all \
--create-offline --database evergreen --host localhost --user evergreen --password evergreen
-------------------------------------------------------------------------
@@ -156,21 +156,21 @@ The diff command can be used to show the differences between the distribution ve
+
[source, bash]
----------------------------------------------------------
-cp /home/opensrf/Evergreen-ILS-2.10.11/Open-ILS/examples/apache/eg_startup /etc/apache2/eg_startup
+cp /home/opensrf/Evergreen-ILS-2.10.12/Open-ILS/examples/apache/eg_startup /etc/apache2/eg_startup
----------------------------------------------------------
+
.. Update /etc/apache2/eg_vhost.conf by copying the example from Open-ILS/examples/apache/eg_vhost.conf.
+
[source, bash]
----------------------------------------------------------
-cp /home/opensrf/Evergreen-ILS-2.10.11/Open-ILS/examples/apache/eg_vhost.conf /etc/apache2/eg_vhost.conf
+cp /home/opensrf/Evergreen-ILS-2.10.12/Open-ILS/examples/apache/eg_vhost.conf /etc/apache2/eg_vhost.conf
----------------------------------------------------------
+
.. Update /etc/apache2/sites-available/eg.conf by copying the example from Open-ILS/examples/apache/eg.conf.
+
[source, bash]
----------------------------------------------------------
-cp /home/opensrf/Evergreen-ILS-2.10.11/Open-ILS/examples/apache/eg.conf /etc/apache2/sites-available/eg.conf
+cp /home/opensrf/Evergreen-ILS-2.10.12/Open-ILS/examples/apache/eg.conf /etc/apache2/sites-available/eg.conf
----------------------------------------------------------
Upgrade the Evergreen database schema
@@ -193,7 +193,7 @@ anything goes wrong during the upgrade.
=============
Evergreen provides incremental upgrade scripts that allow you to upgrade
from one minor version to the next until you have the current version of
-the schema. For example, if you want to upgrade from 2.5.1 to 2.10.11, you
+the schema. For example, if you want to upgrade from 2.5.1 to 2.10.12, you
would run the following upgrade scripts:
- 2.5.1-2.5.2-upgrade-db.sql
@@ -226,13 +226,14 @@ would run the following upgrade scripts:
- 2.10.8-2.10.9-upgrade-db.sql
- 2.10.9-2.10.10-upgrade-db.sql
- 2.10.10-2.10.11-upgrade-db.sql
+- 2.10.11-2.10.12-upgrade-db.sql
Note that you do *not* want to run additional 2.5 scripts to upgrade to the
newest version of 2.5, since currently there is no automated way to upgrade
from 2.5.4+ to 2.6. Only upgrade as far as necessary to reach the major
version upgrade script (in this example, as far as 2.5.3).
-To upgrade across multiple major versions (e.g. from 2.3.0 to 2.10.11), use
+To upgrade across multiple major versions (e.g. from 2.3.0 to 2.10.12), use
the same logic to utilize the provided major version upgrade scripts. For
example:
@@ -250,7 +251,7 @@ example:
- 2.8.4-2.9.0-upgrade-db.sql
- (run all incremental scripts from 2.9.0 to 2.9.3)
- 2.9.3-2.10.0-upgrade-db.sql
-- (run all incremental scripts from 2.10.0 to 2.10.11)
+- (run all incremental scripts from 2.10.0 to 2.10.12)
=============
[CAUTION]
@@ -264,8 +265,8 @@ as a user with the ability to connect to the database server.
[source, bash]
----------------------------------------------------------
-cd /home/opensrf/Evergreen-ILS-2.10.11/Open-ILS/src/sql/Pg
-psql -U evergreen -h localhost -f version-upgrade/2.10.10-2.10.11-upgrade-db.sql evergreen
+cd /home/opensrf/Evergreen-ILS-2.10.12/Open-ILS/src/sql/Pg
+psql -U evergreen -h localhost -f version-upgrade/2.10.11-2.10.12-upgrade-db.sql evergreen
----------------------------------------------------------
[TIP]
commit ea734cd436d87e5538c30fc0040e2c08a130c9b5
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:35:09 2017 -0400
2.10.11-2.10.12 schema update
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
new file mode 100644
index 0000000..af5fdba
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 2.10.11 to 2.10.12
+\set eg_version '''2.10.12'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.10.12', :eg_version);
+COMMIT;
commit 9bec49dc88dae6b5b452d98ed222bdfcd4f95630
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:33:45 2017 -0400
release notes for 2.10.12
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_10.adoc b/docs/RELEASE_NOTES_2_10.adoc
index 2799573..5e8da6e 100644
--- a/docs/RELEASE_NOTES_2_10.adoc
+++ b/docs/RELEASE_NOTES_2_10.adoc
@@ -3,6 +3,32 @@ Evergreen 2.10 Release Notes
:toc:
:numbered:
+Evergreen 2.10.12
+-----------------
+This release is a security release.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+testing and documentation patches to the 2.10.12 point release of
+Evergreen:
+
+* Galen Charlton
+* Dan Scott
+
Evergreen 2.10.11
-----------------
commit 472bd5ae1486fc0349581b02e666d0e8b8d5c143
Author: Dan Scott <dscott at laurentian.ca>
Date: Wed Apr 26 00:19:42 2017 -0400
LP#1478128: Avoid XSS in public catalog
This patch escapes various GET param values by passing them through
the Template Toolkit html filter, including:
* in the locale picker
* in the searchbar
* in the login form
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
Conflicts:
Open-ILS/src/templates/opac/parts/searchbar.tt2
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index 12019cd..2ba56c0 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -10,7 +10,7 @@
<label for="locale_picker">[% l("Language:") %]</label>
[%- FOREACH param IN CGI.params(); -%]
[%- NEXT IF param.key == 'set_eg_locale'; -%]
- <input type="hidden" name="[% param.key %]" value="[% param.value %]" />
+ <input type="hidden" name="[% param.key | html %]" value="[% param.value | html %]" />
[%- END; -%]
<select id="locale_picker" name="set_eg_locale">
[%- FOREACH locale IN ctx.locales.keys %]
diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 88d42c9..c4b2054 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -49,7 +49,7 @@
END;
redirect = redirect | replace('^http:', 'https:');
%]
- <input type='hidden' name='redirect_to' value='[% redirect %]'/>
+ <input type='hidden' name='redirect_to' value='[% redirect | html %]'/>
<input type="checkbox" name="persist" id="login_persist" /><label for="login_persist"> [% l('Stay logged in?') %]</label>
<input type="submit" value="[% l('Log in') %]" alt="[% l('Log in') %]" class="opac-button" />
</div>
diff --git a/Open-ILS/src/templates/opac/parts/searchbar.tt2 b/Open-ILS/src/templates/opac/parts/searchbar.tt2
index 20088fa..1b368ff 100644
--- a/Open-ILS/src/templates/opac/parts/searchbar.tt2
+++ b/Open-ILS/src/templates/opac/parts/searchbar.tt2
@@ -90,9 +90,9 @@
number_of_expert_rows = CGI.param('tag').list.size;
index = 0;
WHILE index < number_of_expert_rows %]
- <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index %]" />
- <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index %]" />
- <input type="hidden" name="term" value="[% CGI.param('term').list.$index %]" />
+ <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index | html %]" />
+ <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index | html %]" />
+ <input type="hidden" name="term" value="[% CGI.param('term').list.$index | html %]" />
[% index = index + 1; %]
[% END %]
[% END %]
-----------------------------------------------------------------------
Summary of changes:
.../version-upgrade/2.10.11-2.10.12-upgrade-db.sql | 5 +++
.../src/templates/opac/parts/locale_picker.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/login/form.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/searchbar.tt2 | 6 ++--
docs/RELEASE_NOTES_2_10.adoc | 26 ++++++++++++++
docs/installation/server_upgrade.txt | 37 ++++++++++---------
6 files changed, 55 insertions(+), 23 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list