This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.22.x has been updated
       via  e48dac0bf5b6705c82fac3df8041773bfce4084f (commit)
      from  fe5b80d5633ab09d3994fac09dd5d9971931af0a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e48dac0bf5b6705c82fac3df8041773bfce4084f
Author: Jonathan Druart <jonathan.dru...@bugs.koha-community.org>
Date:   Fri Aug 12 10:42:28 2016 +0100

    Bug 17114: Fix XSS in picture-upload.pl
    
    To reproduce:
    1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
    2/ Use the upload picture tool to upload this file
    => Without this patch, the alert is show
    => With this patch, the filename is correctly displayed and no alert
    
    Note that the cardnumber var was not escaped neither, it's now.
    
    Signed-off-by: Colin Campbell <colin.campb...@ptfs-europe.com>
    
    Signed-off-by: Katrin Fischer <katrin.fischer...@web.de>
    
    Signed-off-by: Kyle M Hall <k...@bywatersolutions.com>
    (cherry picked from commit da03dbd458c59da0b9213efacd3425e89b453332)
    Signed-off-by: Frédéric Demians <f.demi...@tamil.fr>
    (cherry picked from commit 0fba9c17c9154379430119646c3571f09d986948)
    Signed-off-by: Julian Maurice <julian.maur...@biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
main Koha release repository
_______________________________________________
koha-commits mailing list
koha-commits@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-commits

Reply via email to