[open-ils-commits] [GIT] Evergreen ILS branch rel_3_1 updated. 403fed85ad5cd81949966968933d2d39c1924c12
Evergreen Git
git at git.evergreen-ils.org
Thu Sep 19 16:41:28 EDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_3_1 has been updated
via 403fed85ad5cd81949966968933d2d39c1924c12 (commit)
via 9b7ca429700540d6ac980a07f7f78b53b0120a22 (commit)
via 179c30c350e7271dc94834c8f7abf981e3ae5cf7 (commit)
via 2ca16969613724a18d4106cc20516b17babf8a44 (commit)
via 05f1d5f226c8b66fa9b39888a38dfdcd0ec5bd44 (commit)
via 69422257c068149484ab748887e125bd950a9a9a (commit)
from 2b8434f1b08c0d812840ecef98fb0c18d8841b24 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 403fed85ad5cd81949966968933d2d39c1924c12
Author: Jason Stephenson <jason at sigio.com>
Date: Thu Sep 19 08:46:12 2019 -0400
Forward port 3.1.14 to 3.1.15 db upgrade script
Signed-off-by: Jason Stephenson <jason at sigio.com>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/3.1.14-3.1.15-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/3.1.14-3.1.15-upgrade-db.sql
new file mode 100644
index 0000000000..173c44e54c
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/3.1.14-3.1.15-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 3.1.14 to 3.1.15
+\set eg_version '''3.1.15'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('3.1.15', :eg_version);
+COMMIT;
commit 9b7ca429700540d6ac980a07f7f78b53b0120a22
Author: Jane Sandberg <sandbej at linnbenton.edu>
Date: Tue Sep 17 20:48:13 2019 -0700
Docs: adding release notes for 3.1.15
Signed-off-by: Jane Sandberg <sandbej at linnbenton.edu>
(cherry picked from commit c59eee9ae4d465735c5b4eebeae452d49b50b584)
diff --git a/docs/RELEASE_NOTES_3_1.adoc b/docs/RELEASE_NOTES_3_1.adoc
index a136370577..133158fb40 100644
--- a/docs/RELEASE_NOTES_3_1.adoc
+++ b/docs/RELEASE_NOTES_3_1.adoc
@@ -3,6 +3,74 @@ Evergreen 3.1 Release Notes
:toc:
:numbered:
+Evergreen 3.1.15
+----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.1.14.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+ * `Open-ILS/src/templates/opac/browse.tt2`
+ * `Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2`
+ * `Open-ILS/src/templates/opac/parts/header.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold_result.tt2`
+ * `Open-ILS/src/templates/opac/parts/result/adv_filter.tt2`
+
+They should also review the following templates. If these templates have
+been customized or overridden, either the template should be replaced with
+the stock version or the XSS fix (which entails adding `rel="nofollow` to
+external links) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/summary.tt2`
+* `Open-ILS/src/templates/opac/parts/result/table.tt2`
+
+
+Other Bugfixes
+~~~~~~~~~~~~~~
+Evergreen 3.1.15 also includes the following changes:
+
+Circulation
+^^^^^^^^^^^
+
+* Default hold transit slips no longer include patron's personal
+information (https://bugs.launchpad.net/evergreen/+bug/1735847[Bug 1735847])
+* Fixes an issue with the reshelving process
+(https://bugs.launchpad.net/evergreen/+bug/1018011[Bug 1018011])
+
+Reports
+^^^^^^^
+
+* Fixes issues related to cloning templates made in the XUL client
+(https://bugs.launchpad.net/evergreen/+bug/1796945[Bug 1796945])
+
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.1.15 security release of
+Evergreen:
+
+* Thomas Berezansky
+* Jason Boyer
+* Jeff Davis
+* Blake Graham-Henderson
+* Andrea Buntz Neiman
+* Debbie Luchenbill
+* Jane Sandberg
+* Chris Sharp
+* Jason Stephenson
+* Dan Wells
+
+
Evergreen 3.1.14
----------------
commit 179c30c350e7271dc94834c8f7abf981e3ae5cf7
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Jun 10 09:53:44 2019 -0700
LP#1822630: fix sanitizing CGI params on place_hold_result
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 019118895c94f5cc810b3f1fb95b2634a1c993b6)
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 2f434bdc60..2b5c4eeab1 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
[% END %]
<span>
[% IF any_failures OR ctx.general_hold_error %]
- <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
+ <a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Cancel') %]</a>
[% ELSE %]
<div class='hold_success_links'>
- <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
+ <span><a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Continue') %]</a></span>
[% IF ctx.is_staff %]
[% IF CGI.param('hold_type') == 'C';
hold_type_label = l('copy');
commit 2ca16969613724a18d4106cc20516b17babf8a44
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Apr 1 15:13:09 2019 -0700
LP#1822630: further sanitizing of CGI params when embedded in HTML
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit e2d401a9da3c70c1e56e518f40d0de928919990f)
diff --git a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
index d5ba0f48ea..668b5fab3e 100644
--- a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
+++ b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
@@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) {
// essential info for performing a transaction
var ebook_action = {};
[%- IF CGI.param("action").defined %]
-ebook_action.type = '[% CGI.param("action") %]';
+ebook_action.type = '[% CGI.param("action") | html %]';
[%- END -%]
[%- IF CGI.param("title").defined %]
-ebook_action.title_id = '[% CGI.param("title") %]';
+ebook_action.title_id = '[% CGI.param("title") | html %]';
[%- END -%]
[%- IF CGI.param("vendor").defined %]
-ebook_action.vendor = '[% CGI.param("vendor") %]';
+ebook_action.vendor = '[% CGI.param("vendor") | html %]';
[%- END -%]
[% IF ctx.user %]
diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2
index de933e9e62..81789655e2 100644
--- a/Open-ILS/src/templates/opac/parts/header.tt2
+++ b/Open-ILS/src/templates/opac/parts/header.tt2
@@ -19,7 +19,7 @@
# parts/searchbar.tt2, and results.tt2.
show_detail_view = 0;
IF CGI.param("detail_record_view").defined;
- show_detail_view = CGI.param("detail_record_view");
+ show_detail_view = CGI.param("detail_record_view") | html;
ELSIF show_more_details.default == "true" OR
show_more_details.default == "hide";
show_detail_view = 1;
diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index 099208c950..9284362db2 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -189,7 +189,7 @@ function maybeToggleNumCopies(obj) {
[% l('Advanced Hold Options') %]</a>
[% END %]
[% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
- <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') %]" />
+ <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
<a id='basic_hold_link'
href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
[% l('Basic Hold Options') %]</a>
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 009145aeb2..2f434bdc60 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
[% END %]
<span>
[% IF any_failures OR ctx.general_hold_error %]
- <a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Cancel') %]</a>
+ <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
[% ELSE %]
<div class='hold_success_links'>
- <span><a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Continue') %]</a></span>
+ <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
[% IF ctx.is_staff %]
[% IF CGI.param('hold_type') == 'C';
hold_type_label = l('copy');
diff --git a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
index ae2ef7a50c..35b2c77723 100644
--- a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
@@ -62,8 +62,8 @@ FOR filter IN ctx.query_struct.filters;
[%- END; # IF locations -%]
[%- IF pubdate_filters.grep('^' _ filter.name _ '$').size;
- date1 = CGI.param('date1');
- date2 = CGI.param('date2');
+ date1 = CGI.param('date1') | html;
+ date2 = CGI.param('date2') | html;
-%]
<div class="adv_filter_results_group_wrapper">
<div class="adv_filter_results_group">
commit 05f1d5f226c8b66fa9b39888a38dfdcd0ec5bd44
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Apr 1 10:00:59 2019 -0700
LP#1822630: sanitize user input before display on browse results
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 4402695e80dbcee5187a35de46e5e314bab1231a)
diff --git a/Open-ILS/src/templates/opac/browse.tt2 b/Open-ILS/src/templates/opac/browse.tt2
index ea27b7d71e..7d917de405 100644
--- a/Open-ILS/src/templates/opac/browse.tt2
+++ b/Open-ILS/src/templates/opac/browse.tt2
@@ -45,7 +45,7 @@
<div id="browse-controls" class='searchbar'>
<form method="get" onsubmit="$('browse-submit-spinner').className = ''; return true">
<input type="hidden" name="blimit"
- value="[% blimit %]" />
+ value="[% blimit | html %]" />
[% control_qtype = INCLUDE "opac/parts/qtype_selector.tt2"
id="browse-search-class" browse_only=1 plural=1 %]
commit 69422257c068149484ab748887e125bd950a9a9a
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Thu Sep 13 11:58:48 2018 -0700
LP#1559239: use rel="noopener" when opening external URLs in a new tab
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 1eccaeec88a99e9792b388e95732faa7576e7164)
diff --git a/Open-ILS/src/templates/opac/parts/record/summary.tt2 b/Open-ILS/src/templates/opac/parts/record/summary.tt2
index 223b0f34c3..acb244eedd 100644
--- a/Open-ILS/src/templates/opac/parts/record/summary.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/summary.tt2
@@ -176,7 +176,7 @@
FOREACH res IN openurls;
%]
<tr>
- <td class='rdetail_openurl_entry'><a href="[% res.target_url %]" target="_blank">[% res.public_name | html %]</a></td>
+ <td class='rdetail_openurl_entry'><a href="[% res.target_url %]" target="_blank" rel="noopener">[% res.public_name | html %]</a></td>
<td>[% res.target_coverage | html %]
[%- IF res.target_embargo != '';
' - ';
@@ -203,7 +203,7 @@ IF num_uris > 0;
[%- ELSE -%]
<li class="rdetail_uri" property="offers" vocab="http://schema.org/" typeof="Offer">
[%- END -%]
- <a href="[% uri.href %]" class="uri_link" property="url" target="_blank">
+ <a href="[% uri.href %]" class="uri_link" property="url" target="_blank" rel="noopener">
[%- IF uri.href != uri.link;
'<span property="description">' _ uri.link _ '</span>';
ELSE;
diff --git a/Open-ILS/src/templates/opac/parts/result/table.tt2 b/Open-ILS/src/templates/opac/parts/result/table.tt2
index 5a7d3a4ff3..e84fff5142 100644
--- a/Open-ILS/src/templates/opac/parts/result/table.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/table.tt2
@@ -322,7 +322,7 @@ END;
<td valign='top'>
<strong>[% l('Electronic resource') %]</strong>
</td>
- <td><a href="[% uri.href %]" class="uri_link" target="_blank">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
+ <td><a href="[% uri.href %]" class="uri_link" target="_blank" rel="noopener">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
</tr>
[% END %]
[% END %]
@@ -481,7 +481,7 @@ END;
[% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) %]
href="[% ctx.ext_proto %]://contentcafe2.btol.com/ContentCafeClient/ContentCafe.aspx?UserID=[%-
ENV.OILS_CONTENT_CAFE_USER %]&Password=[%-
- ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="nofollow" vocab="">
+ ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="noopener nofollow" vocab="">
<img src='[% ctx.media_prefix %]/images/starz.png[% ctx.cache_key %]' alt="[% l('Ratings Icon') %]"/>
<span class="results_reviews">[% l('Reviews & More') %]</span>
</a>
-----------------------------------------------------------------------
Summary of changes:
.../version-upgrade/3.1.14-3.1.15-upgrade-db.sql | 5 ++
Open-ILS/src/templates/opac/browse.tt2 | 2 +-
.../src/templates/opac/parts/ebook_api/base_js.tt2 | 6 +-
Open-ILS/src/templates/opac/parts/header.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/place_hold.tt2 | 2 +-
.../src/templates/opac/parts/place_hold_result.tt2 | 4 +-
.../src/templates/opac/parts/record/summary.tt2 | 4 +-
.../src/templates/opac/parts/result/adv_filter.tt2 | 4 +-
Open-ILS/src/templates/opac/parts/result/table.tt2 | 4 +-
docs/RELEASE_NOTES_3_1.adoc | 68 ++++++++++++++++++++++
10 files changed, 87 insertions(+), 14 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/3.1.14-3.1.15-upgrade-db.sql
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list