[open-ils-commits] [GIT] Evergreen ILS branch rel_2_11 updated. cee28fe1dadfd4c85799408cad9cd8f572f1a571

Evergreen Git git at git.evergreen-ils.org
Wed May 24 15:43:51 EDT 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_11 has been updated
       via  cee28fe1dadfd4c85799408cad9cd8f572f1a571 (commit)
       via  96cd5f6e5565f6b4bb3be8248dd8680d1815ec14 (commit)
       via  45a494080ac56d612231fcef0b12c8ddfb6de7a5 (commit)
      from  d012c947e11db84f2d2f47c5ac348a4db15daea4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit cee28fe1dadfd4c85799408cad9cd8f572f1a571
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed May 24 12:35:09 2017 -0400

    2.10.11-2.10.12 schema update
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
new file mode 100644
index 0000000..af5fdba
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 2.10.11 to 2.10.12
+\set eg_version '''2.10.12'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.10.12', :eg_version);
+COMMIT;

commit 96cd5f6e5565f6b4bb3be8248dd8680d1815ec14
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed May 24 12:29:57 2017 -0400

    update 2.11.5 release notes
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/docs/RELEASE_NOTES_2_11.adoc b/docs/RELEASE_NOTES_2_11.adoc
index e3348b1..db98214 100644
--- a/docs/RELEASE_NOTES_2_11.adoc
+++ b/docs/RELEASE_NOTES_2_11.adoc
@@ -5,9 +5,24 @@ Evergreen 2.11 Release Notes
 
 Evergreen 2.11.5
 ----------------
-
-This release contains several bug fixes improving on Evergreen 2.11.4.
-
+This release is a security release that also contains several other bug
+fixes improving on Evergreen 2.11.4.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
+
+Other Bugfixes
+~~~~~~~~~~~~~~
 * A fix to remove the Chilifresh patron reviews header for Evergreen sites
 that do not use Chilifresh.
 * A fix that marks acquisitions POs as received when all line items on the 

commit 45a494080ac56d612231fcef0b12c8ddfb6de7a5
Author: Dan Scott <dscott at laurentian.ca>
Date:   Wed Apr 26 00:19:42 2017 -0400

    LP#1478128: Avoid XSS in public catalog
    
    This patch escapes various GET param values by passing them through
    the Template Toolkit html filter, including:
    
    * in the locale picker
    * in the searchbar
    * in the login form
    
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
    
    Conflicts:
    	Open-ILS/src/templates/opac/parts/searchbar.tt2
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index 12019cd..2ba56c0 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -10,7 +10,7 @@
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]
-        <input type="hidden" name="[% param.key %]" value="[% param.value %]" />
+        <input type="hidden" name="[% param.key | html %]" value="[% param.value | html %]" />
     [%- END; -%]
     <select id="locale_picker" name="set_eg_locale">
     [%- FOREACH locale IN ctx.locales.keys %]
diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 1657855..5d12af5 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -49,7 +49,7 @@
             END;
                 redirect = redirect  | replace('^http:', 'https:');
             %]
-            <input type='hidden' name='redirect_to' value='[% redirect %]'/>
+            <input type='hidden' name='redirect_to' value='[% redirect | html %]'/>
             <input type="checkbox" name="persist" id="login_persist" /><label for="login_persist"> [% l('Stay logged in?') %]</label>
             <input type="submit" value="[% l('Log in') %]" alt="[% l('Log in') %]" class="opac-button" />
         </div>
diff --git a/Open-ILS/src/templates/opac/parts/searchbar.tt2 b/Open-ILS/src/templates/opac/parts/searchbar.tt2
index a48c4a0..32e20ae 100644
--- a/Open-ILS/src/templates/opac/parts/searchbar.tt2
+++ b/Open-ILS/src/templates/opac/parts/searchbar.tt2
@@ -90,9 +90,9 @@
             number_of_expert_rows = CGI.param('tag').list.size;
             index = 0;
             WHILE index < number_of_expert_rows %]
-                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index %]" />
-                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index %]" />
-                <input type="hidden" name="term" value="[% CGI.param('term').list.$index %]" />
+                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index | html %]" />
+                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index | html %]" />
+                <input type="hidden" name="term" value="[% CGI.param('term').list.$index | html %]" />
                 [% index = index + 1; %]
             [% END %]
         [% END %]

-----------------------------------------------------------------------

Summary of changes:
 .../version-upgrade/2.10.11-2.10.12-upgrade-db.sql |    5 +++++
 .../src/templates/opac/parts/locale_picker.tt2     |    2 +-
 Open-ILS/src/templates/opac/parts/login/form.tt2   |    2 +-
 Open-ILS/src/templates/opac/parts/searchbar.tt2    |    6 +++---
 docs/RELEASE_NOTES_2_11.adoc                       |   17 ++++++++++++++++-
 5 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list