[open-ils-commits] [GIT] Evergreen ILS branch rel_3_2 updated. 7920fa327f9ac52072ea357e6321ad627c2bf3ed
Evergreen Git
git at git.evergreen-ils.org
Thu Sep 19 16:41:37 EDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_3_2 has been updated
via 7920fa327f9ac52072ea357e6321ad627c2bf3ed (commit)
via db7beba84ca919e58d071f53a3a47cb918310f08 (commit)
via 5236b66854b17e7a8a973a3710b457695eaa03ae (commit)
via 785e32bbd8585bfa6d8b5f2f3fcf897dafc9a55c (commit)
via 2ecb4f2bf1023ffe84f0e988a15ad40ace4e20c3 (commit)
via f2359ae346dd6856905e2a80e299457888ce7385 (commit)
via 92aa9c1eac12d2c685ab160157b4b616b576f5cf (commit)
from 9c160b81b6bec5407b466e73b065fb7e89dda66a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7920fa327f9ac52072ea357e6321ad627c2bf3ed
Author: Jason Stephenson <jason at sigio.com>
Date: Wed Sep 18 19:16:50 2019 -0400
Forward port 3.2.8 to 3.2.9 db upgrade script
Signed-off-by: Jason Stephenson <jason at sigio.com>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/3.2.8-3.2.9-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/3.2.8-3.2.9-upgrade-db.sql
new file mode 100644
index 0000000000..5426d9c528
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/3.2.8-3.2.9-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 3.2.8 to 3.2.9
+\set eg_version '''3.2.9'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('3.2.9', :eg_version);
+COMMIT;
commit db7beba84ca919e58d071f53a3a47cb918310f08
Author: Jane Sandberg <sandbej at linnbenton.edu>
Date: Tue Sep 17 20:55:19 2019 -0700
Docs: adding release notes for 3.2.9
Signed-off-by: Jane Sandberg <sandbej at linnbenton.edu>
(cherry picked from commit 0f8afd070ab441f29a9f3d9de0188771d06461a2)
diff --git a/docs/RELEASE_NOTES_3_2.adoc b/docs/RELEASE_NOTES_3_2.adoc
index 383e29adb9..7b6c518029 100644
--- a/docs/RELEASE_NOTES_3_2.adoc
+++ b/docs/RELEASE_NOTES_3_2.adoc
@@ -3,6 +3,87 @@ Evergreen 3.2 Release Notes
:toc:
:numbered:
+Evergreen 3.2.9
+----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.2.8.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+ * `Open-ILS/src/templates/opac/browse.tt2`
+ * `Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2`
+ * `Open-ILS/src/templates/opac/parts/header.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold_result.tt2`
+ * `Open-ILS/src/templates/opac/parts/result/adv_filter.tt2`
+
+They should also review the following templates. If these templates have
+been customized or overridden, either the template should be replaced with
+the stock version or the XSS fix (which entails adding `rel="nofollow` to
+external links) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/summary.tt2`
+* `Open-ILS/src/templates/opac/parts/result/table.tt2`
+
+
+Other Bugfixes
+~~~~~~~~~~~~~~
+Evergreen 3.2.9 also includes the following changes:
+
+General
+^^^^^^^
+
+* Users can now save sort priorities for grids throughout the client
+(https://bugs.launchpad.net/evergreen/+bug/1790169[Bug 1790169])
+
+Circulation
+^^^^^^^^^^^
+
+* Default hold transit slips no longer include patron's personal
+information (https://bugs.launchpad.net/evergreen/+bug/1735847[Bug 1735847])
+* Fixes an issue with the reshelving process
+(https://bugs.launchpad.net/evergreen/+bug/1018011[Bug 1018011])
+
+Reports
+^^^^^^^
+
+* Fixes issues related to cloning templates made in the XUL client
+(https://bugs.launchpad.net/evergreen/+bug/1796945[Bug 1796945])
+
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.2.9 security release of
+Evergreen:
+
+* Thomas Berezansky
+* Jason Boyer
+* Galen Charlton
+* Jeff Davis
+* April Durrence
+* Jason Etheridge
+* Blake Graham-Henderson
+* Andrea Buntz Neiman
+* Debbie Luchenbill
+* Dan Pearl
+* Jane Sandberg
+* Dan Scott
+* Chris Sharp
+* Remington Steed
+* Jason Stephenson
+* Dan Wells
+* Derek C. Zoladz
+
+
Evergreen 3.2.8
---------------
commit 5236b66854b17e7a8a973a3710b457695eaa03ae
Author: Jane Sandberg <sandbej at linnbenton.edu>
Date: Tue Sep 17 20:48:13 2019 -0700
Docs: adding release notes for 3.1.15
Signed-off-by: Jane Sandberg <sandbej at linnbenton.edu>
(cherry picked from commit c59eee9ae4d465735c5b4eebeae452d49b50b584)
diff --git a/docs/RELEASE_NOTES_3_1.adoc b/docs/RELEASE_NOTES_3_1.adoc
index a136370577..133158fb40 100644
--- a/docs/RELEASE_NOTES_3_1.adoc
+++ b/docs/RELEASE_NOTES_3_1.adoc
@@ -3,6 +3,74 @@ Evergreen 3.1 Release Notes
:toc:
:numbered:
+Evergreen 3.1.15
+----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.1.14.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+ * `Open-ILS/src/templates/opac/browse.tt2`
+ * `Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2`
+ * `Open-ILS/src/templates/opac/parts/header.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold_result.tt2`
+ * `Open-ILS/src/templates/opac/parts/result/adv_filter.tt2`
+
+They should also review the following templates. If these templates have
+been customized or overridden, either the template should be replaced with
+the stock version or the XSS fix (which entails adding `rel="nofollow` to
+external links) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/summary.tt2`
+* `Open-ILS/src/templates/opac/parts/result/table.tt2`
+
+
+Other Bugfixes
+~~~~~~~~~~~~~~
+Evergreen 3.1.15 also includes the following changes:
+
+Circulation
+^^^^^^^^^^^
+
+* Default hold transit slips no longer include patron's personal
+information (https://bugs.launchpad.net/evergreen/+bug/1735847[Bug 1735847])
+* Fixes an issue with the reshelving process
+(https://bugs.launchpad.net/evergreen/+bug/1018011[Bug 1018011])
+
+Reports
+^^^^^^^
+
+* Fixes issues related to cloning templates made in the XUL client
+(https://bugs.launchpad.net/evergreen/+bug/1796945[Bug 1796945])
+
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.1.15 security release of
+Evergreen:
+
+* Thomas Berezansky
+* Jason Boyer
+* Jeff Davis
+* Blake Graham-Henderson
+* Andrea Buntz Neiman
+* Debbie Luchenbill
+* Jane Sandberg
+* Chris Sharp
+* Jason Stephenson
+* Dan Wells
+
+
Evergreen 3.1.14
----------------
commit 785e32bbd8585bfa6d8b5f2f3fcf897dafc9a55c
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Jun 10 09:53:44 2019 -0700
LP#1822630: fix sanitizing CGI params on place_hold_result
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 019118895c94f5cc810b3f1fb95b2634a1c993b6)
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 2f434bdc60..2b5c4eeab1 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
[% END %]
<span>
[% IF any_failures OR ctx.general_hold_error %]
- <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
+ <a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Cancel') %]</a>
[% ELSE %]
<div class='hold_success_links'>
- <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
+ <span><a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Continue') %]</a></span>
[% IF ctx.is_staff %]
[% IF CGI.param('hold_type') == 'C';
hold_type_label = l('copy');
commit 2ecb4f2bf1023ffe84f0e988a15ad40ace4e20c3
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Apr 1 15:13:09 2019 -0700
LP#1822630: further sanitizing of CGI params when embedded in HTML
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit e2d401a9da3c70c1e56e518f40d0de928919990f)
diff --git a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
index d5ba0f48ea..668b5fab3e 100644
--- a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
+++ b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
@@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) {
// essential info for performing a transaction
var ebook_action = {};
[%- IF CGI.param("action").defined %]
-ebook_action.type = '[% CGI.param("action") %]';
+ebook_action.type = '[% CGI.param("action") | html %]';
[%- END -%]
[%- IF CGI.param("title").defined %]
-ebook_action.title_id = '[% CGI.param("title") %]';
+ebook_action.title_id = '[% CGI.param("title") | html %]';
[%- END -%]
[%- IF CGI.param("vendor").defined %]
-ebook_action.vendor = '[% CGI.param("vendor") %]';
+ebook_action.vendor = '[% CGI.param("vendor") | html %]';
[%- END -%]
[% IF ctx.user %]
diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2
index 76b2314187..5f397c3b7c 100644
--- a/Open-ILS/src/templates/opac/parts/header.tt2
+++ b/Open-ILS/src/templates/opac/parts/header.tt2
@@ -19,7 +19,7 @@
# parts/searchbar.tt2, and results.tt2.
show_detail_view = 0;
IF CGI.param("detail_record_view").defined;
- show_detail_view = CGI.param("detail_record_view");
+ show_detail_view = CGI.param("detail_record_view") | html;
ELSIF show_more_details.default == "true" OR
show_more_details.default == "hide";
show_detail_view = 1;
diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index f2d1bba3bc..95ff9e2b29 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -192,7 +192,7 @@ function maybeToggleNumCopies(obj) {
[% l('Advanced Hold Options') %]</a>
[% END %]
[% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
- <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') %]" />
+ <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
<a id='basic_hold_link'
href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
[% l('Basic Hold Options') %]</a>
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 009145aeb2..2f434bdc60 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
[% END %]
<span>
[% IF any_failures OR ctx.general_hold_error %]
- <a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Cancel') %]</a>
+ <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
[% ELSE %]
<div class='hold_success_links'>
- <span><a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Continue') %]</a></span>
+ <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
[% IF ctx.is_staff %]
[% IF CGI.param('hold_type') == 'C';
hold_type_label = l('copy');
diff --git a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
index ae2ef7a50c..35b2c77723 100644
--- a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
@@ -62,8 +62,8 @@ FOR filter IN ctx.query_struct.filters;
[%- END; # IF locations -%]
[%- IF pubdate_filters.grep('^' _ filter.name _ '$').size;
- date1 = CGI.param('date1');
- date2 = CGI.param('date2');
+ date1 = CGI.param('date1') | html;
+ date2 = CGI.param('date2') | html;
-%]
<div class="adv_filter_results_group_wrapper">
<div class="adv_filter_results_group">
commit f2359ae346dd6856905e2a80e299457888ce7385
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Apr 1 10:00:59 2019 -0700
LP#1822630: sanitize user input before display on browse results
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 4402695e80dbcee5187a35de46e5e314bab1231a)
diff --git a/Open-ILS/src/templates/opac/browse.tt2 b/Open-ILS/src/templates/opac/browse.tt2
index 21c3e65a3f..97a8c0c180 100644
--- a/Open-ILS/src/templates/opac/browse.tt2
+++ b/Open-ILS/src/templates/opac/browse.tt2
@@ -46,7 +46,7 @@
<div id="browse-controls" class='searchbar'>
<form method="get" onsubmit="$('browse-submit-spinner').className = ''; return true">
<input type="hidden" name="blimit"
- value="[% blimit %]" />
+ value="[% blimit | html %]" />
[% control_qtype = INCLUDE "opac/parts/qtype_selector.tt2"
id="browse-search-class" browse_only=1 plural=1 %]
commit 92aa9c1eac12d2c685ab160157b4b616b576f5cf
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Thu Sep 13 11:58:48 2018 -0700
LP#1559239: use rel="noopener" when opening external URLs in a new tab
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 1eccaeec88a99e9792b388e95732faa7576e7164)
diff --git a/Open-ILS/src/templates/opac/parts/record/summary.tt2 b/Open-ILS/src/templates/opac/parts/record/summary.tt2
index 3bc0ef5855..fb6f84a1e8 100644
--- a/Open-ILS/src/templates/opac/parts/record/summary.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/summary.tt2
@@ -191,7 +191,7 @@
FOREACH res IN openurls;
%]
<tr>
- <td class='rdetail_openurl_entry'><a href="[% res.target_url %]" target="_blank">[% res.public_name | html %]</a></td>
+ <td class='rdetail_openurl_entry'><a href="[% res.target_url %]" target="_blank" rel="noopener">[% res.public_name | html %]</a></td>
<td>[% res.target_coverage | html %]
[%- IF res.target_embargo != '';
' - ';
@@ -218,7 +218,7 @@ IF num_uris > 0;
[%- ELSE -%]
<li class="rdetail_uri" property="offers" vocab="http://schema.org/" typeof="Offer">
[%- END -%]
- <a href="[% uri.href %]" class="uri_link" property="url" target="_blank">
+ <a href="[% uri.href %]" class="uri_link" property="url" target="_blank" rel="noopener">
[%- IF uri.href != uri.link;
'<span property="description">' _ uri.link _ '</span>';
ELSE;
diff --git a/Open-ILS/src/templates/opac/parts/result/table.tt2 b/Open-ILS/src/templates/opac/parts/result/table.tt2
index 21652c4069..c06f440ede 100644
--- a/Open-ILS/src/templates/opac/parts/result/table.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/table.tt2
@@ -348,7 +348,7 @@ END;
<td valign='top'>
<strong>[% l('Electronic resource') %]</strong>
</td>
- <td><a href="[% uri.href %]" class="uri_link" target="_blank">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
+ <td><a href="[% uri.href %]" class="uri_link" target="_blank" rel="noopener">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
</tr>
[% END %]
[% END %]
@@ -513,7 +513,7 @@ END;
[% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) %]
href="[% ctx.ext_proto %]://contentcafe2.btol.com/ContentCafeClient/ContentCafe.aspx?UserID=[%-
ENV.OILS_CONTENT_CAFE_USER %]&Password=[%-
- ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="nofollow" vocab="">
+ ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="noopener nofollow" vocab="">
<img src='[% ctx.media_prefix %]/images/starz.png[% ctx.cache_key %]' alt="[% l('Ratings Icon') %]"/>
<span class="results_reviews">[% l('Reviews & More') %]</span>
</a>
-----------------------------------------------------------------------
Summary of changes:
.../Pg/version-upgrade/3.2.8-3.2.9-upgrade-db.sql | 5 ++
Open-ILS/src/templates/opac/browse.tt2 | 2 +-
.../src/templates/opac/parts/ebook_api/base_js.tt2 | 6 +-
Open-ILS/src/templates/opac/parts/header.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/place_hold.tt2 | 2 +-
.../src/templates/opac/parts/place_hold_result.tt2 | 4 +-
.../src/templates/opac/parts/record/summary.tt2 | 4 +-
.../src/templates/opac/parts/result/adv_filter.tt2 | 4 +-
Open-ILS/src/templates/opac/parts/result/table.tt2 | 4 +-
docs/RELEASE_NOTES_3_1.adoc | 68 ++++++++++++++++++
docs/RELEASE_NOTES_3_2.adoc | 81 ++++++++++++++++++++++
11 files changed, 168 insertions(+), 14 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/3.2.8-3.2.9-upgrade-db.sql
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list