[open-ils-commits] [GIT] Evergreen ILS branch rel_3_3 updated. 193c70ed5d7aa697f52e76cf8f6057672e9f08f4
Evergreen Git
git at git.evergreen-ils.org
Thu Sep 19 16:41:48 EDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_3_3 has been updated
via 193c70ed5d7aa697f52e76cf8f6057672e9f08f4 (commit)
via 3999b3b7fa06472ef9b10b4e47331ca6148bfa2c (commit)
via 32489d301e32c78bf4250df201f047b610fc4010 (commit)
via a47e8d39f34298a6556ec7e3c2c5e250e1977979 (commit)
via 12b4a82d3927ae8d91d9128ceced88c07b94fa84 (commit)
via bf00d6af3567230876d68fa92063c55863ffaa45 (commit)
from 9d8cd55e5b080134648a2b62284432ad21178a0d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 193c70ed5d7aa697f52e76cf8f6057672e9f08f4
Author: Dan Wells <dbw2 at calvin.edu>
Date: Thu Sep 19 15:34:47 2019 -0400
Forward-port 3.3.4 upgrade script
Signed-off-by: Dan Wells <dbw2 at calvin.edu>
diff --git a/Open-ILS/src/sql/Pg/version-upgrade/3.3.3-3.3.4-upgrade-db.sql b/Open-ILS/src/sql/Pg/version-upgrade/3.3.3-3.3.4-upgrade-db.sql
new file mode 100644
index 0000000000..00d89be504
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/version-upgrade/3.3.3-3.3.4-upgrade-db.sql
@@ -0,0 +1,5 @@
+--Upgrade Script for 3.3.3 to 3.3.4
+\set eg_version '''3.3.4'''
+BEGIN;
+INSERT INTO config.upgrade_log (version, applied_to) VALUES ('3.3.4', :eg_version);
+COMMIT;
commit 3999b3b7fa06472ef9b10b4e47331ca6148bfa2c
Author: Jane Sandberg <sandbej at linnbenton.edu>
Date: Tue Sep 17 20:59:28 2019 -0700
Docs: adding release notes for 3.3.4
Signed-off-by: Jane Sandberg <sandbej at linnbenton.edu>
(cherry picked from commit 72e4ff788197b4a398a2b512590840cf2c56c53c)
diff --git a/docs/RELEASE_NOTES_3_3.adoc b/docs/RELEASE_NOTES_3_3.adoc
index 5909c480bf..94319904e9 100644
--- a/docs/RELEASE_NOTES_3_3.adoc
+++ b/docs/RELEASE_NOTES_3_3.adoc
@@ -3,6 +3,94 @@ Evergreen 3.3 Release Notes
:toc:
:numbered:
+Evergreen 3.3.4
+----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.3.3.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+ * `Open-ILS/src/templates/opac/browse.tt2`
+ * `Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2`
+ * `Open-ILS/src/templates/opac/parts/header.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold_result.tt2`
+ * `Open-ILS/src/templates/opac/parts/result/adv_filter.tt2`
+
+They should also review the following templates. If these templates have
+been customized or overridden, either the template should be replaced with
+the stock version or the XSS fix (which entails adding `rel="nofollow` to
+external links) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/summary.tt2`
+* `Open-ILS/src/templates/opac/parts/result/table.tt2`
+
+
+Other Bugfixes
+~~~~~~~~~~~~~~
+Evergreen 3.3.4 also includes the following changes:
+
+General
+^^^^^^^
+
+* Users can now save sort priorities for grids throughout the client
+(https://bugs.launchpad.net/evergreen/+bug/1790169[Bug 1790169])
+
+Cataloging
+^^^^^^^^^^
+
+* The experimental staff catalog now includes a flat-text MARC editor
+(https://bugs.launchpad.net/evergreen/+bug/1834665[Bug 1834665])
+
+
+Circulation
+^^^^^^^^^^^
+
+* Default hold transit slips no longer include patron's personal
+information (https://bugs.launchpad.net/evergreen/+bug/1735847[Bug 1735847])
+* Fixes an issue with the reshelving process
+(https://bugs.launchpad.net/evergreen/+bug/1018011[Bug 1018011])
+
+Reports
+^^^^^^^
+
+* Fixes issues related to cloning templates made in the XUL client
+(https://bugs.launchpad.net/evergreen/+bug/1796945[Bug 1796945])
+
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.3.4 security release of
+Evergreen:
+
+* Thomas Berezansky
+* Jason Boyer
+* Galen Charlton
+* Jeff Davis
+* April Durrence
+* Bill Erickson
+* Jason Etheridge
+* Blake Graham-Henderson
+* Andrea Buntz Neiman
+* Debbie Luchenbill
+* Dan Pearl
+* Jane Sandberg
+* Dan Scott
+* Chris Sharp
+* Remington Steed
+* Jason Stephenson
+* Dan Wells
+* Derek C. Zoladz
+
Evergreen 3.3.3
---------------
commit 32489d301e32c78bf4250df201f047b610fc4010
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Jun 10 09:53:44 2019 -0700
LP#1822630: fix sanitizing CGI params on place_hold_result
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 019118895c94f5cc810b3f1fb95b2634a1c993b6)
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 2f434bdc60..2b5c4eeab1 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
[% END %]
<span>
[% IF any_failures OR ctx.general_hold_error %]
- <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
+ <a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Cancel') %]</a>
[% ELSE %]
<div class='hold_success_links'>
- <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
+ <span><a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Continue') %]</a></span>
[% IF ctx.is_staff %]
[% IF CGI.param('hold_type') == 'C';
hold_type_label = l('copy');
commit a47e8d39f34298a6556ec7e3c2c5e250e1977979
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Apr 1 15:13:09 2019 -0700
LP#1822630: further sanitizing of CGI params when embedded in HTML
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit e2d401a9da3c70c1e56e518f40d0de928919990f)
diff --git a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2 b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
index d5ba0f48ea..668b5fab3e 100644
--- a/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
+++ b/Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
@@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) {
// essential info for performing a transaction
var ebook_action = {};
[%- IF CGI.param("action").defined %]
-ebook_action.type = '[% CGI.param("action") %]';
+ebook_action.type = '[% CGI.param("action") | html %]';
[%- END -%]
[%- IF CGI.param("title").defined %]
-ebook_action.title_id = '[% CGI.param("title") %]';
+ebook_action.title_id = '[% CGI.param("title") | html %]';
[%- END -%]
[%- IF CGI.param("vendor").defined %]
-ebook_action.vendor = '[% CGI.param("vendor") %]';
+ebook_action.vendor = '[% CGI.param("vendor") | html %]';
[%- END -%]
[% IF ctx.user %]
diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2
index 76b2314187..5f397c3b7c 100644
--- a/Open-ILS/src/templates/opac/parts/header.tt2
+++ b/Open-ILS/src/templates/opac/parts/header.tt2
@@ -19,7 +19,7 @@
# parts/searchbar.tt2, and results.tt2.
show_detail_view = 0;
IF CGI.param("detail_record_view").defined;
- show_detail_view = CGI.param("detail_record_view");
+ show_detail_view = CGI.param("detail_record_view") | html;
ELSIF show_more_details.default == "true" OR
show_more_details.default == "hide";
show_detail_view = 1;
diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index f2d1bba3bc..95ff9e2b29 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -192,7 +192,7 @@ function maybeToggleNumCopies(obj) {
[% l('Advanced Hold Options') %]</a>
[% END %]
[% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
- <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') %]" />
+ <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
<a id='basic_hold_link'
href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
[% l('Basic Hold Options') %]</a>
diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 009145aeb2..2f434bdc60 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
[% END %]
<span>
[% IF any_failures OR ctx.general_hold_error %]
- <a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Cancel') %]</a>
+ <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
[% ELSE %]
<div class='hold_success_links'>
- <span><a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Continue') %]</a></span>
+ <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
[% IF ctx.is_staff %]
[% IF CGI.param('hold_type') == 'C';
hold_type_label = l('copy');
diff --git a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2 b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
index ae2ef7a50c..35b2c77723 100644
--- a/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
@@ -62,8 +62,8 @@ FOR filter IN ctx.query_struct.filters;
[%- END; # IF locations -%]
[%- IF pubdate_filters.grep('^' _ filter.name _ '$').size;
- date1 = CGI.param('date1');
- date2 = CGI.param('date2');
+ date1 = CGI.param('date1') | html;
+ date2 = CGI.param('date2') | html;
-%]
<div class="adv_filter_results_group_wrapper">
<div class="adv_filter_results_group">
commit 12b4a82d3927ae8d91d9128ceced88c07b94fa84
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Mon Apr 1 10:00:59 2019 -0700
LP#1822630: sanitize user input before display on browse results
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp at georgialibraries.org>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 4402695e80dbcee5187a35de46e5e314bab1231a)
diff --git a/Open-ILS/src/templates/opac/browse.tt2 b/Open-ILS/src/templates/opac/browse.tt2
index 21c3e65a3f..97a8c0c180 100644
--- a/Open-ILS/src/templates/opac/browse.tt2
+++ b/Open-ILS/src/templates/opac/browse.tt2
@@ -46,7 +46,7 @@
<div id="browse-controls" class='searchbar'>
<form method="get" onsubmit="$('browse-submit-spinner').className = ''; return true">
<input type="hidden" name="blimit"
- value="[% blimit %]" />
+ value="[% blimit | html %]" />
[% control_qtype = INCLUDE "opac/parts/qtype_selector.tt2"
id="browse-search-class" browse_only=1 plural=1 %]
commit bf00d6af3567230876d68fa92063c55863ffaa45
Author: Jeff Davis <jdavis at sitka.bclibraries.ca>
Date: Thu Sep 13 11:58:48 2018 -0700
LP#1559239: use rel="noopener" when opening external URLs in a new tab
Signed-off-by: Jeff Davis <jdavis at sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason at sigio.com>
(cherry picked from commit 1eccaeec88a99e9792b388e95732faa7576e7164)
diff --git a/Open-ILS/src/templates/opac/parts/record/summary.tt2 b/Open-ILS/src/templates/opac/parts/record/summary.tt2
index 3bc0ef5855..fb6f84a1e8 100644
--- a/Open-ILS/src/templates/opac/parts/record/summary.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/summary.tt2
@@ -191,7 +191,7 @@
FOREACH res IN openurls;
%]
<tr>
- <td class='rdetail_openurl_entry'><a href="[% res.target_url %]" target="_blank">[% res.public_name | html %]</a></td>
+ <td class='rdetail_openurl_entry'><a href="[% res.target_url %]" target="_blank" rel="noopener">[% res.public_name | html %]</a></td>
<td>[% res.target_coverage | html %]
[%- IF res.target_embargo != '';
' - ';
@@ -218,7 +218,7 @@ IF num_uris > 0;
[%- ELSE -%]
<li class="rdetail_uri" property="offers" vocab="http://schema.org/" typeof="Offer">
[%- END -%]
- <a href="[% uri.href %]" class="uri_link" property="url" target="_blank">
+ <a href="[% uri.href %]" class="uri_link" property="url" target="_blank" rel="noopener">
[%- IF uri.href != uri.link;
'<span property="description">' _ uri.link _ '</span>';
ELSE;
diff --git a/Open-ILS/src/templates/opac/parts/result/table.tt2 b/Open-ILS/src/templates/opac/parts/result/table.tt2
index 21652c4069..c06f440ede 100644
--- a/Open-ILS/src/templates/opac/parts/result/table.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/table.tt2
@@ -348,7 +348,7 @@ END;
<td valign='top'>
<strong>[% l('Electronic resource') %]</strong>
</td>
- <td><a href="[% uri.href %]" class="uri_link" target="_blank">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
+ <td><a href="[% uri.href %]" class="uri_link" target="_blank" rel="noopener">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
</tr>
[% END %]
[% END %]
@@ -513,7 +513,7 @@ END;
[% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) %]
href="[% ctx.ext_proto %]://contentcafe2.btol.com/ContentCafeClient/ContentCafe.aspx?UserID=[%-
ENV.OILS_CONTENT_CAFE_USER %]&Password=[%-
- ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="nofollow" vocab="">
+ ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="noopener nofollow" vocab="">
<img src='[% ctx.media_prefix %]/images/starz.png[% ctx.cache_key %]' alt="[% l('Ratings Icon') %]"/>
<span class="results_reviews">[% l('Reviews & More') %]</span>
</a>
-----------------------------------------------------------------------
Summary of changes:
.../Pg/version-upgrade/3.3.3-3.3.4-upgrade-db.sql | 5 ++
Open-ILS/src/templates/opac/browse.tt2 | 2 +-
.../src/templates/opac/parts/ebook_api/base_js.tt2 | 6 +-
Open-ILS/src/templates/opac/parts/header.tt2 | 2 +-
Open-ILS/src/templates/opac/parts/place_hold.tt2 | 2 +-
.../src/templates/opac/parts/place_hold_result.tt2 | 4 +-
.../src/templates/opac/parts/record/summary.tt2 | 4 +-
.../src/templates/opac/parts/result/adv_filter.tt2 | 4 +-
Open-ILS/src/templates/opac/parts/result/table.tt2 | 4 +-
docs/RELEASE_NOTES_3_3.adoc | 88 ++++++++++++++++++++++
10 files changed, 107 insertions(+), 14 deletions(-)
create mode 100644 Open-ILS/src/sql/Pg/version-upgrade/3.3.3-3.3.4-upgrade-db.sql
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list