[open-ils-commits] [GIT] Evergreen ILS branch master updated. 1fd5edfbef2e95910f2fd0f405438e600a205518
Evergreen Git
git at git.evergreen-ils.org
Wed May 24 15:59:40 EDT 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via 1fd5edfbef2e95910f2fd0f405438e600a205518 (commit)
via b298bc47bf8b09db5c0f2a748b8d1c03e873441b (commit)
via 1bbe3fb5f5e4cfcf5e6325ee9335b9924cd71bc7 (commit)
via e5dd0f2fd10646be9e8865d19b646a99e01aa5a4 (commit)
via 17210e096b0009c4a891944085c5cdc33a100d9c (commit)
from a8e1007dd55c477cfa7b8eadc96a81f09c1e5e22 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1fd5edfbef2e95910f2fd0f405438e600a205518
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:35:09 2017 -0400
2.10.11-2.10.12 schema update
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
new file mode 100644
index 0000000..af5fdba
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 2.10.11 to 2.10.12
+\set eg_version '''2.10.12'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.10.12', :eg_version);
+COMMIT;
commit b298bc47bf8b09db5c0f2a748b8d1c03e873441b
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:33:45 2017 -0400
release notes for 2.10.12
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_10.adoc b/docs/RELEASE_NOTES_2_10.adoc
index c49bcd9..09749f9 100644
--- a/docs/RELEASE_NOTES_2_10.adoc
+++ b/docs/RELEASE_NOTES_2_10.adoc
@@ -3,6 +3,32 @@ Evergreen 2.10 Release Notes
:toc:
:numbered:
+Evergreen 2.10.12
+-----------------
+This release is a security release.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+testing and documentation patches to the 2.10.12 point release of
+Evergreen:
+
+* Galen Charlton
+* Dan Scott
+
Evergreen 2.10.11
-----------------
commit 1bbe3fb5f5e4cfcf5e6325ee9335b9924cd71bc7
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:29:57 2017 -0400
update 2.11.5 release notes
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_11.adoc b/docs/RELEASE_NOTES_2_11.adoc
index e3348b1..db98214 100644
--- a/docs/RELEASE_NOTES_2_11.adoc
+++ b/docs/RELEASE_NOTES_2_11.adoc
@@ -5,9 +5,24 @@ Evergreen 2.11 Release Notes
Evergreen 2.11.5
----------------
-
-This release contains several bug fixes improving on Evergreen 2.11.4.
-
+This release is a security release that also contains several other bug
+fixes improving on Evergreen 2.11.4.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
+
+Other Bugfixes
+~~~~~~~~~~~~~~
* A fix to remove the Chilifresh patron reviews header for Evergreen sites
that do not use Chilifresh.
* A fix that marks acquisitions POs as received when all line items on the
commit e5dd0f2fd10646be9e8865d19b646a99e01aa5a4
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed May 24 12:26:45 2017 -0400
update 2.12.2 release notes
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_12.adoc b/docs/RELEASE_NOTES_2_12.adoc
index e5242a9..db2ed72 100644
--- a/docs/RELEASE_NOTES_2_12.adoc
+++ b/docs/RELEASE_NOTES_2_12.adoc
@@ -6,7 +6,21 @@ Evergreen 2.12 Release Notes
Evergreen 2.12.2
----------------
-This release contains several bug fixes improving on Evergreen 2.12.2.
+This release is a security release that also contains several other bug
+fixes improving on Evergreen 2.12.1.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
Upgrade Notes
~~~~~~~~~~~~~
commit 17210e096b0009c4a891944085c5cdc33a100d9c
Author: Dan Scott <dscott at laurentian.ca>
Date: Wed Apr 26 00:19:42 2017 -0400
LP#1478128: Avoid XSS in public catalog
This patch escapes various GET param values by passing them through
the Template Toolkit html filter, including:
* in the locale picker
* in the searchbar
* in the login form
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/templates/opac/parts/locale_picker.tt2 b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
index 12019cd..2ba56c0 100644
--- a/Open-ILS/src/templates/opac/parts/locale_picker.tt2
+++ b/Open-ILS/src/templates/opac/parts/locale_picker.tt2
@@ -10,7 +10,7 @@
<label for="locale_picker">[% l("Language:") %]</label>
[%- FOREACH param IN CGI.params(); -%]
[%- NEXT IF param.key == 'set_eg_locale'; -%]
- <input type="hidden" name="[% param.key %]" value="[% param.value %]" />
+ <input type="hidden" name="[% param.key | html %]" value="[% param.value | html %]" />
[%- END; -%]
<select id="locale_picker" name="set_eg_locale">
[%- FOREACH locale IN ctx.locales.keys %]
diff --git a/Open-ILS/src/templates/opac/parts/login/form.tt2 b/Open-ILS/src/templates/opac/parts/login/form.tt2
index 23e38c6..f357e8a 100644
--- a/Open-ILS/src/templates/opac/parts/login/form.tt2
+++ b/Open-ILS/src/templates/opac/parts/login/form.tt2
@@ -49,7 +49,7 @@
END;
redirect = redirect | replace('^http:', 'https:');
%]
- <input type='hidden' name='redirect_to' value='[% redirect %]'/>
+ <input type='hidden' name='redirect_to' value='[% redirect | html %]'/>
<input type="checkbox" name="persist" id="login_persist" /><label for="login_persist"> [% l('Stay logged in?') %]</label>
<input type="submit" value="[% l('Log in') %]" alt="[% l('Log in') %]" class="opac-button" />
</div>
diff --git a/Open-ILS/src/templates/opac/parts/searchbar.tt2 b/Open-ILS/src/templates/opac/parts/searchbar.tt2
index ddf68cf..587f485 100644
--- a/Open-ILS/src/templates/opac/parts/searchbar.tt2
+++ b/Open-ILS/src/templates/opac/parts/searchbar.tt2
@@ -124,7 +124,7 @@ END;
FOR p IN CGI.params.keys;
NEXT UNLESS p.match('^fi:');
FOR pv IN CGI.params.$p;
- %]<input type="hidden" name="[% p %]" value="[% pv %]" />[%
+ %]<input type="hidden" name="[% p | html %]" value="[% pv | html %]" />[%
END;
END;
END %]
@@ -133,9 +133,9 @@ END;
number_of_expert_rows = CGI.param('tag').list.size;
index = 0;
WHILE index < number_of_expert_rows %]
- <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index %]" />
- <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index %]" />
- <input type="hidden" name="term" value="[% CGI.param('term').list.$index %]" />
+ <input type="hidden" name="tag" value="[% CGI.param('tag').list.$index | html %]" />
+ <input type="hidden" name="subfield" value="[% CGI.param('subfield').list.$index | html %]" />
+ <input type="hidden" name="term" value="[% CGI.param('term').list.$index | html %]" />
[% index = index + 1; %]
[% END %]
[% END %]
-----------------------------------------------------------------------
Summary of changes:
.../version-upgrade/2.10.11-2.10.12-upgrade-db.sql | 5 ++++
.../src/templates/opac/parts/locale_picker.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/login/form.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/searchbar.tt2 | 8 +++---
docs/RELEASE_NOTES_2_10.adoc | 26 ++++++++++++++++++++
docs/RELEASE_NOTES_2_11.adoc | 17 ++++++++++++-
docs/RELEASE_NOTES_2_12.adoc | 16 +++++++++++-
7 files changed, 68 insertions(+), 8 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.10.11-2.10.12-upgrade-db.sql
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list