[open-ils-commits] [GIT] Evergreen ILS branch rel_3_1 updated. 79b61de9f03af09032dc9586983cf30006edcfed
Evergreen Git
git at git.evergreen-ils.org
Wed Mar 28 15:12:35 EDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_3_1 has been updated
via 79b61de9f03af09032dc9586983cf30006edcfed (commit)
via cb561649ca7e11b0c19e32aad6f0d409007c9e67 (commit)
via 1d6b97e45218769fcfd1e79117aab2c9612c091f (commit)
via 57b47726a735fd258938483c6b6a47043e6f1615 (commit)
via 07f65f1d4b1153e9f7b08243d3968cd3ab6b184e (commit)
via ccd704417339d92fb1fe801120c0623968c699f3 (commit)
from d02cedd462ccb0da4efca9428fefdbd4665c3080 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 79b61de9f03af09032dc9586983cf30006edcfed
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:40:59 2018 -0400
2.12.11-2.12.12 schema update
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql
new file mode 100644
index 0000000..48fe1a7
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 2.12.11 to 2.12.12
+\set eg_version '''2.12.12'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('2.12.12', :eg_version);
+COMMIT;
commit cb561649ca7e11b0c19e32aad6f0d409007c9e67
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:38:59 2018 -0400
3.0.5-3.0.6 schema update
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/3.0.5-3.0.6-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/3.0.5-3.0.6-upgrade-db.sql
new file mode 100644
index 0000000..6f456ce
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/3.0.5-3.0.6-upgrade-db.sql
@@ -0,0 +1,272 @@
+--Upgrade Script for 3.0.5 to 3.0.6
+\set eg_version '''3.0.6'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('3.0.6', :eg_version);
+
+SELECT evergreen.upgrade_deps_block_check('1107', :eg_version);
+
+CREATE OR REPLACE FUNCTION asset.merge_record_assets( target_record BIGINT, source_record BIGINT ) RETURNS INT AS $func$
+DECLARE
+ moved_objects INT := 0;
+ source_cn asset.call_number%ROWTYPE;
+ target_cn asset.call_number%ROWTYPE;
+ metarec metabib.metarecord%ROWTYPE;
+ hold action.hold_request%ROWTYPE;
+ ser_rec serial.record_entry%ROWTYPE;
+ ser_sub serial.subscription%ROWTYPE;
+ acq_lineitem acq.lineitem%ROWTYPE;
+ acq_request acq.user_request%ROWTYPE;
+ booking booking.resource_type%ROWTYPE;
+ source_part biblio.monograph_part%ROWTYPE;
+ target_part biblio.monograph_part%ROWTYPE;
+ multi_home biblio.peer_bib_copy_map%ROWTYPE;
+ uri_count INT := 0;
+ counter INT := 0;
+ uri_datafield TEXT;
+ uri_text TEXT := '';
+BEGIN
+
+ -- move any 856 entries on records that have at least one MARC-mapped URI entry
+ SELECT INTO uri_count COUNT(*)
+ FROM asset.uri_call_number_map m
+ JOIN asset.call_number cn ON (m.call_number = cn.id)
+ WHERE cn.record = source_record;
+
+ IF uri_count > 0 THEN
+
+ -- This returns more nodes than you might expect:
+ -- 7 instead of 1 for an 856 with $u $y $9
+ SELECT COUNT(*) INTO counter
+ FROM oils_xpath_table(
+ 'id',
+ 'marc',
+ 'biblio.record_entry',
+ '//*[@tag="856"]',
+ 'id=' || source_record
+ ) as t(i int,c text);
+
+ FOR i IN 1 .. counter LOOP
+ SELECT '<datafield xmlns="http://www.loc.gov/MARC21/slim"' ||
+ ' tag="856"' ||
+ ' ind1="' || FIRST(ind1) || '"' ||
+ ' ind2="' || FIRST(ind2) || '">' ||
+ STRING_AGG(
+ '<subfield code="' || subfield || '">' ||
+ regexp_replace(
+ regexp_replace(
+ regexp_replace(data,'&','&','g'),
+ '>', '>', 'g'
+ ),
+ '<', '<', 'g'
+ ) || '</subfield>', ''
+ ) || '</datafield>' INTO uri_datafield
+ FROM oils_xpath_table(
+ 'id',
+ 'marc',
+ 'biblio.record_entry',
+ '//*[@tag="856"][position()=' || i || ']/@ind1|' ||
+ '//*[@tag="856"][position()=' || i || ']/@ind2|' ||
+ '//*[@tag="856"][position()=' || i || ']/*/@code|' ||
+ '//*[@tag="856"][position()=' || i || ']/*[@code]',
+ 'id=' || source_record
+ ) as t(id int,ind1 text, ind2 text,subfield text,data text);
+
+ -- As most of the results will be NULL, protect against NULLifying
+ -- the valid content that we do generate
+ uri_text := uri_text || COALESCE(uri_datafield, '');
+ END LOOP;
+
+ IF uri_text <> '' THEN
+ UPDATE biblio.record_entry
+ SET marc = regexp_replace(marc,'(</[^>]*record>)', uri_text || E'\\1')
+ WHERE id = target_record;
+ END IF;
+
+ END IF;
+
+ -- Find and move metarecords to the target record
+ SELECT INTO metarec *
+ FROM metabib.metarecord
+ WHERE master_record = source_record;
+
+ IF FOUND THEN
+ UPDATE metabib.metarecord
+ SET master_record = target_record,
+ mods = NULL
+ WHERE id = metarec.id;
+
+ moved_objects := moved_objects + 1;
+ END IF;
+
+ -- Find call numbers attached to the source ...
+ FOR source_cn IN SELECT * FROM asset.call_number WHERE record = source_record LOOP
+
+ SELECT INTO target_cn *
+ FROM asset.call_number
+ WHERE label = source_cn.label
+ AND prefix = source_cn.prefix
+ AND suffix = source_cn.suffix
+ AND owning_lib = source_cn.owning_lib
+ AND record = target_record
+ AND NOT deleted;
+
+ -- ... and if there's a conflicting one on the target ...
+ IF FOUND THEN
+
+ -- ... move the copies to that, and ...
+ UPDATE asset.copy
+ SET call_number = target_cn.id
+ WHERE call_number = source_cn.id;
+
+ -- ... move V holds to the move-target call number
+ FOR hold IN SELECT * FROM action.hold_request WHERE target = source_cn.id AND hold_type = 'V' LOOP
+
+ UPDATE action.hold_request
+ SET target = target_cn.id
+ WHERE id = hold.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ UPDATE asset.call_number SET deleted = TRUE WHERE id = source_cn.id;
+
+ -- ... if not ...
+ ELSE
+ -- ... just move the call number to the target record
+ UPDATE asset.call_number
+ SET record = target_record
+ WHERE id = source_cn.id;
+ END IF;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find T holds targeting the source record ...
+ FOR hold IN SELECT * FROM action.hold_request WHERE target = source_record AND hold_type = 'T' LOOP
+
+ -- ... and move them to the target record
+ UPDATE action.hold_request
+ SET target = target_record
+ WHERE id = hold.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find serial records targeting the source record ...
+ FOR ser_rec IN SELECT * FROM serial.record_entry WHERE record = source_record LOOP
+ -- ... and move them to the target record
+ UPDATE serial.record_entry
+ SET record = target_record
+ WHERE id = ser_rec.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find serial subscriptions targeting the source record ...
+ FOR ser_sub IN SELECT * FROM serial.subscription WHERE record_entry = source_record LOOP
+ -- ... and move them to the target record
+ UPDATE serial.subscription
+ SET record_entry = target_record
+ WHERE id = ser_sub.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find booking resource types targeting the source record ...
+ FOR booking IN SELECT * FROM booking.resource_type WHERE record = source_record LOOP
+ -- ... and move them to the target record
+ UPDATE booking.resource_type
+ SET record = target_record
+ WHERE id = booking.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find acq lineitems targeting the source record ...
+ FOR acq_lineitem IN SELECT * FROM acq.lineitem WHERE eg_bib_id = source_record LOOP
+ -- ... and move them to the target record
+ UPDATE acq.lineitem
+ SET eg_bib_id = target_record
+ WHERE id = acq_lineitem.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find acq user purchase requests targeting the source record ...
+ FOR acq_request IN SELECT * FROM acq.user_request WHERE eg_bib = source_record LOOP
+ -- ... and move them to the target record
+ UPDATE acq.user_request
+ SET eg_bib = target_record
+ WHERE id = acq_request.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find parts attached to the source ...
+ FOR source_part IN SELECT * FROM biblio.monograph_part WHERE record = source_record LOOP
+
+ SELECT INTO target_part *
+ FROM biblio.monograph_part
+ WHERE label = source_part.label
+ AND record = target_record;
+
+ -- ... and if there's a conflicting one on the target ...
+ IF FOUND THEN
+
+ -- ... move the copy-part maps to that, and ...
+ UPDATE asset.copy_part_map
+ SET part = target_part.id
+ WHERE part = source_part.id;
+
+ -- ... move P holds to the move-target part
+ FOR hold IN SELECT * FROM action.hold_request WHERE target = source_part.id AND hold_type = 'P' LOOP
+
+ UPDATE action.hold_request
+ SET target = target_part.id
+ WHERE id = hold.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- ... if not ...
+ ELSE
+ -- ... just move the part to the target record
+ UPDATE biblio.monograph_part
+ SET record = target_record
+ WHERE id = source_part.id;
+ END IF;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- Find multi_home items attached to the source ...
+ FOR multi_home IN SELECT * FROM biblio.peer_bib_copy_map WHERE peer_record = source_record LOOP
+ -- ... and move them to the target record
+ UPDATE biblio.peer_bib_copy_map
+ SET peer_record = target_record
+ WHERE id = multi_home.id;
+
+ moved_objects := moved_objects + 1;
+ END LOOP;
+
+ -- And delete mappings where the item's home bib was merged with the peer bib
+ DELETE FROM biblio.peer_bib_copy_map WHERE peer_record = (
+ SELECT (SELECT record FROM asset.call_number WHERE id = call_number)
+ FROM asset.copy WHERE id = target_copy
+ );
+
+ -- replace book bag entries of source_record with target_record
+ UPDATE container.biblio_record_entry_bucket_item
+ SET target_biblio_record_entry = target_record
+ WHERE bucket IN (SELECT id FROM container.biblio_record_entry_bucket WHERE btype = 'bookbag')
+ AND target_biblio_record_entry = source_record;
+
+ -- Finally, "delete" the source record
+ DELETE FROM biblio.record_entry WHERE id = source_record;
+
+ -- That's all, folks!
+ RETURN moved_objects;
+END;
+$func$ LANGUAGE plpgsql;
+
+COMMIT;
commit 1d6b97e45218769fcfd1e79117aab2c9612c091f
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:14:41 2018 -0400
release notes for Evergreen 2.12.12
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_2_12.adoc b/docs/RELEASE_NOTES_2_12.adoc
index fddb133..a35667f 100644
--- a/docs/RELEASE_NOTES_2_12.adoc
+++ b/docs/RELEASE_NOTES_2_12.adoc
@@ -3,6 +3,39 @@ Evergreen 2.12 Release Notes
:toc:
:numbered:
+Evergreen 2.12.12
+-----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/contents.tt2`
+* `Open-ILS/src/templates/opac/parts/record/copy_counts.tt2`
+* `Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2`
+
+Note that exploiting the XSS vulnerabilities fixed in this release
+would require either the ability to create maliciously-constructed
+MARC bibliographic or holdings records or the ability to set a
+maliciously constructed organizational unit name.
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 2.12.12 security release of
+Evergreen:
+
+* Galen Charlton
+* Dan Scott
+* Chris Sharp
+
Evergreen 2.12.11
-----------------
This release contains bug fixes improving on Evergreen 2.12.10:
commit 57b47726a735fd258938483c6b6a47043e6f1615
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Wed Mar 28 10:29:12 2018 -0400
release notes for Evergreen 3.0.6
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/docs/RELEASE_NOTES_3_0.adoc b/docs/RELEASE_NOTES_3_0.adoc
index ffb5234..714d28d 100644
--- a/docs/RELEASE_NOTES_3_0.adoc
+++ b/docs/RELEASE_NOTES_3_0.adoc
@@ -3,6 +3,66 @@ Evergreen 3.0 Release Notes
:toc:
:numbered:
+Evergreen 3.0.6
+---------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.0.5.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/contents.tt2`
+* `Open-ILS/src/templates/opac/parts/record/copy_counts.tt2`
+* `Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2`
+
+Note that exploiting the XSS vulnerabilities fixed in this release
+would require either the ability to create maliciously-constructed
+MARC bibliographic or holdings records or the ability to set a
+maliciously constructed organizational unit name.
+
+Other Bugfixes
+~~~~~~~~~~~~~~
+Evergreen 3.0.6 also includes the following changes:
+
+* When using 'Selection Lists -> Edit MARC Order Record' in the web
+ staff client, now only one click is required to save the MARC
+ record rather than two.
+* The volume/copy editor in the web staff client now better handles
+ editing multiple items that have different sets of statistical
+ category values assigned to them.
+* The act of merging bibliographic records now updates bookbags
+ that referred to the source bibliographic record rather than
+ effectively deleting entries for that record.
+* Additional columns were added to the Holds Pull List in the
+ web staff client.
+* The patron registration form in the web staff client now correctly
+ manages setting user preferences.
+* An error in a pgTAP unit test was corrected.
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.0.6 security release of
+Evergreen:
+
+* Galen Charlton
+* Bill Erickson
+* Rogan Hamby
+* Kathy Lussier
+* Terran McCanna
+* Andrea Neiman
+* Mike Rylander
+* Dan Scott
+* Chris Sharp
+* Cesar Velez
+
Evergreen 3.0.5
---------------
This release contains bug fixes improving on Evergreen 3.0.4.
commit 07f65f1d4b1153e9f7b08243d3968cd3ab6b184e
Author: Galen Charlton <gmc at equinoxinitiative.org>
Date: Tue Mar 27 16:30:35 2018 -0400
LP#1757526: escape more catalog data (MFHD edition)
This patch ensures that data derived from MFHDs is escaped
for in the issues held tab on the public catalog record display
page.
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2 b/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
index ced0ec6..bd6bb97 100644
--- a/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
@@ -20,7 +20,7 @@
NEXT UNLESS serial.$type.size;
IF !printed_mfhd_header; %]
<tr>
- <td class="rdetail-mfhd-head" colspan="2">[% l('Holdings summary ([_1])', serial.location) %]</td>
+ <td class="rdetail-mfhd-head" colspan="2">[% l('Holdings summary ([_1])', serial.location) | html %]</td>
</tr>
[% printed_mfhd_header = 1;
END; %]
@@ -28,7 +28,7 @@
<td class="rdetail-mfhd-type">[% mfhd.$type %]</td>
<td class="rdetail-mfhd-contents">[%
FOR thing IN serial.$type;
- thing.join(", ");
+ thing.join(", ") | html;
END %]</td>
</tr>
[% END;
commit ccd704417339d92fb1fe801120c0623968c699f3
Author: Dan Scott <dscott at laurentian.ca>
Date: Wed Mar 21 22:08:35 2018 +0100
LP1757526 Escape displayed catalogue data
Content in content fields (5xx) as well as for the names of locations in copy
count alt text was not being properly escaped, allowing for the possibility of
executing arbitrary JavaScript in the case of a malicious catalogue record
(whether edited in the system, or imported)
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/Open-ILS/src/templates/opac/parts/record/contents.tt2 b/Open-ILS/src/templates/opac/parts/record/contents.tt2
index 87057dc..db80b47 100644
--- a/Open-ILS/src/templates/opac/parts/record/contents.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/contents.tt2
@@ -177,8 +177,7 @@ BLOCK render_contents;
all_content.push(subfield.textContent);
END;
total_contents = all_content.join(" ").replace('\s+$', '');
- %] [% total_contents;
- IF total_contents.size; "<br/>"; END;
+ %] [% "<div class='content_field'>"; total_contents | html ; "</div>";
FOREACH link880 IN graphics;
'<div class="graphic880"' _ link880.dir _ '>';
link880.value | html;
diff --git a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2 b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
index eee85e8..e6e783f 100644
--- a/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
@@ -23,7 +23,7 @@
[%- this_depth = ctx.get_aou(ou_id).ou_type.depth;
IF ou_count > 0 && this_depth != ctx.copy_depth %]
<a href="[% mkurl('', {copy_depth => this_depth}, ['copy_offset']); %]"
- title="[% l('Show copies at [_1]', ou_name); %]">
+ title="[% l('Show copies at [_1]', ou_name) | html; %]">
[%- l('(Show)'); %]</a>
[%- END; %]
</li>
@@ -43,7 +43,7 @@
attrs.plib_copy_counts.$depth.count,
ou_name) | html
%] <a href="[% mkurl('', {locg => ou_id}, ['copy_offset']); %]"
- title="[% l('Show copies at [_1]', ou_name); %]">[%
+ title="[% l('Show copies at [_1]', ou_name) | html; %]">[%
l('(Show preferred library)');
%]</a></li>
[%- END %]
-----------------------------------------------------------------------
Summary of changes:
.../version-upgrade/2.12.11-2.12.12-upgrade-db.sql | 5 ++
.../3.0.5-3.0.6-upgrade-db.sql} | 3 +
.../src/templates/opac/parts/record/contents.tt2 | 3 +-
.../templates/opac/parts/record/copy_counts.tt2 | 4 +-
.../templates/opac/parts/record/issues-mfhd.tt2 | 4 +-
docs/RELEASE_NOTES_2_12.adoc | 33 +++++++++++
docs/RELEASE_NOTES_3_0.adoc | 60 ++++++++++++++++++++
7 files changed, 106 insertions(+), 6 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/2.12.11-2.12.12-upgrade-db.sql
copy Open-ILS/src/sql/Pg/{upgrade/1107.schema.preserve_book_bags_on_bib_merge.sql => version-upgrade/3.0.5-3.0.6-upgrade-db.sql} (98%)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list