[open-ils-commits] [GIT] Evergreen ILS branch rel_2_12 updated. de338bccf996b5c76e191619c7ca7078f24fedf2

Evergreen Git git at git.evergreen-ils.org
Wed May 24 15:45:14 EDT 2017 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_12 has been updated
       via  de338bccf996b5c76e191619c7ca7078f24fedf2 (commit)
       via  3867a32c1e7bb82e1de11da6e4f31c8f2378d200 (commit)
       via  3e663fb2381f0c13c80b776483af7a331be666e4 (commit)
      from  03cc7bf48036a01bc8dc01be2f7429c15462d61e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit de338bccf996b5c76e191619c7ca7078f24fedf2
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed May 24 12:35:09 2017 -0400

    2.10.11-2.10.12 schema update
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
new file mode 100644
index 0000000..af5fdba
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 2.10.11 to 2.10.12
+\set eg_version '''2.10.12'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.10.12', :eg_version);
+COMMIT;

commit 3867a32c1e7bb82e1de11da6e4f31c8f2378d200
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date:   Wed May 24 12:26:45 2017 -0400

    update 2.12.2 release notes
    
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/docs/RELEASE_NOTES_2_12.adoc b/docs/RELEASE_NOTES_2_12.adoc
index e5242a9..db2ed72 100644
--- a/docs/RELEASE_NOTES_2_12.adoc
+++ b/docs/RELEASE_NOTES_2_12.adoc
@@ -6,7 +6,21 @@ Evergreen 2.12 Release Notes
 Evergreen 2.12.2
 ----------------
 
-This release contains several bug fixes improving on Evergreen 2.12.2.
+This release is a security release that also contains several other bug
+fixes improving on Evergreen 2.12.1.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
 
 Upgrade Notes
 ~~~~~~~~~~~~~

commit 3e663fb2381f0c13c80b776483af7a331be666e4
Author: Dan Scott <dscott at laurentian.ca>
Date:   Wed Apr 26 00:19:42 2017 -0400

    LP#1478128: Avoid XSS in public catalog
    
    This patch escapes various GET param values by passing them through
    the Template Toolkit html filter, including:
    
    * in the locale picker
    * in the searchbar
    * in the login form
    
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>

diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index 12019cd..2ba56c0 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -10,7 +10,7 @@
     <label for="locale_picker">[% l("Language:") %]</label>
     [%- FOREACH param IN CGI.params(); -%]
         [%- NEXT IF param.key == 'set_eg_locale'; -%]
-        <input type="hidden" name="[% param.key %]" value="[% param.value %]" />
+        <input type="hidden" name="[% param.key | html %]" value="[% param.value | html %]" />
     [%- END; -%]
     <select id="locale_picker" name="set_eg_locale">
     [%- FOREACH locale IN ctx.locales.keys %]
diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 23e38c6..f357e8a 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -49,7 +49,7 @@
             END;
                 redirect = redirect  | replace('^http:', 'https:');
             %]
-            <input type='hidden' name='redirect_to' value='[% redirect %]'/>
+            <input type='hidden' name='redirect_to' value='[% redirect | html %]'/>
             <input type="checkbox" name="persist" id="login_persist" /><label for="login_persist"> [% l('Stay logged in?') %]</label>
             <input type="submit" value="[% l('Log in') %]" alt="[% l('Log in') %]" class="opac-button" />
         </div>
diff --git a/Open-ILS/src/templates/opac/parts/searchbar.tt2 b/Open-ILS/src/templates/opac/parts/searchbar.tt2
index ddf68cf..587f485 100644
--- a/Open-ILS/src/templates/opac/parts/searchbar.tt2
+++ b/Open-ILS/src/templates/opac/parts/searchbar.tt2
@@ -124,7 +124,7 @@ END;
             FOR p IN CGI.params.keys;
                 NEXT UNLESS p.match('^fi:');
                 FOR pv IN CGI.params.$p;
-                    %]<input type="hidden" name="[% p %]" value="[% pv %]" />[%
+                    %]<input type="hidden" name="[% p | html %]" value="[% pv | html %]" />[%
                 END;
             END;
         END %]
@@ -133,9 +133,9 @@ END;
             number_of_expert_rows = CGI.param('tag').list.size;
             index = 0;
             WHILE index < number_of_expert_rows %]
-                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index %]" />
-                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index %]" />
-                <input type="hidden" name="term" value="[% CGI.param('term').list.$index %]" />
+                <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index | html %]" />
+                <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index | html %]" />
+                <input type="hidden" name="term" value="[% CGI.param('term').list.$index | html %]" />
                 [% index = index + 1; %]
             [% END %]
         [% END %]

-----------------------------------------------------------------------

Summary of changes:
 .../version-upgrade/2.10.11-2.10.12-upgrade-db.sql |    5 +++++
 .../src/templates/opac/parts/locale_picker.tt2     |    2 +-
 Open-ILS/src/templates/opac/parts/login/form.tt2   |    2 +-
 Open-ILS/src/templates/opac/parts/searchbar.tt2    |    8 ++++----
 docs/RELEASE_NOTES_2_12.adoc                       |   16 +++++++++++++++-
 5 files changed, 26 insertions(+), 7 deletions(-)
 create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list