https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Text to go in the|This enhancement adds the |**Sponsored by** *The
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Jonathan Druart changed:
What|Removed |Added
CC||jonathan.druart+koha@gmail
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Caroline Cyr La Rose changed:
What|Removed |Added
See Also||https://bugs.koha-com
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Caroline Cyr La Rose changed:
What|Removed |Added
CC||caroline.cyr-la-rose@
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Blocks||21135
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
See Also||https://bugs.koha-communit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Lucas Gass changed:
What|Removed |Added
Status|Pushed to stable|RESOLVED
Resolution|--
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #49 from Jacob O'Mara ---
Nice work, thanks everyone!
Pushed to 22.11.x for the next release.
--
You are receiving this mail because:
You are watching all bug changes.
___
Ko
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Jacob O'Mara changed:
What|Removed |Added
Version(s)|23.05.00|23.05.00,22.11.03
rel
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
David Nind changed:
What|Removed |Added
Text to go in the||This enhancement adds the
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #48 from Tomás Cohen Arazi ---
Pushed to master for 23.05.
Nice work everyone, thanks!
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Tomás Cohen Arazi changed:
What|Removed |Added
Status|Passed QA |Pushed to master
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #47 from Tomás Cohen Arazi ---
No more rebases needed :-D
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Blocks||30979
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #46 from Martin Renvoize ---
Rebased
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
ht
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143643|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143469|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143468|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Tomás Cohen Arazi changed:
What|Removed |Added
Keywords|rel_22_11_candidate |
--
You are receiving
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #42 from David Cook ---
(In reply to Tomás Cohen Arazi from comment #39)
> In my opinion, using OpacBaseURL as a fixed value (instead of an allow-list)
> is a design mistake because of what I mentioned above.
I was think
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Tomás Cohen Arazi changed:
What|Removed |Added
Keywords||rel_23_05_candidate
---
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #40 from Martin Renvoize ---
We use SetEnvIf to overcome the OpacBaseUrl thing already here.. your already
setting up a host to get the different domains..
--
You are receiving this mail because:
You are watching all bu
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #39 from Tomás Cohen Arazi ---
Hi, I'm still not convinced, to be honest. In production it is common to use
several domain names for the same Koha instance, and I don't think sticking to
OpacBaseURL is enough for that use
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #38 from Martin Renvoize ---
Thanks for working on this David, your follow-up is indeed a much more thorough
way of doing things.. my approach was a little lazy.
Works great,
--
You are receiving this mail because:
You
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143608|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #36 from David Cook ---
I was doing some more thinking...
On one hand, I was thinking maybe we should make a more consistent login box.
For instance, if you go to
http://localhost:8080/cgi-bin/koha/opac-shelves.pl?op=ad
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #35 from David Cook ---
Note that while the code checks for URI::http as the URI class type, this
includes URI::https since it subclasses URI::http, so it works for OPACBaseURL
using either HTTP or HTTPS URLs.
--
You ar
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #34 from David Cook ---
Created attachment 143608
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143608&action=edit
Bug 31699: (follow-up) Protect more against open redirects
This change checks that th
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #33 from David Cook ---
With my upcoming patch,
Without OPACBaseURL, no redirection happens for the following:
http://localhost:8080/cgi-bin/koha/opac-user.pl?return=http://koha-community.org/test?test=test
With OPACBa
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #32 from David Cook ---
(In reply to David Cook from comment #31)
> If I erase OPACBaseURL, then I get the open redirect vulnerability again.
Worth noting that this affects only logged in users. The redirect code won't
t
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #31 from David Cook ---
At the moment, with Martin's patches, the following will generate a
"ERR_INVALID_REDIRECT":
http://localhost:8080/cgi-bin/koha/opac-user.pl?return=http://koha-community.org/test
If I erase OPACBa
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #30 from David Cook ---
(In reply to David Nind from comment #29)
> The last follow-up has "broken" the redirect used for bug 31028 - Catalog
> concerns (see comment 323 (!!)), so it may pay to test with that bug.
That's
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #29 from David Nind ---
The last follow-up has "broken" the redirect used for bug 31028 - Catalog
concerns (see comment 323 (!!)), so it may pay to test with that bug.
--
You are receiving this mail because:
You are wat
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #28 from David Cook ---
Comment on attachment 143469
--> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143469
Bug 31699: (follow-up) Protect against unauthorized redirects
Review of attachment 143469:
--
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #27 from David Cook ---
(In reply to Martin Renvoize from comment #21)
> Sorry chaps, it was late last night when this discussion took place. I've
> marked it assigned and will work on it today.
>
> Bit disappointed with
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143465|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143464|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Status|ASSIGNED|Passed QA
--
You are rec
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143463|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #143378|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #22 from Martin Renvoize ---
Created attachment 143463
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143463&action=edit
Bug 31699: (follow-up) Protect against unauthorized redirects
--
You are receiv
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Status|Passed QA |ASSIGNED
--- Comment #21
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #20 from David Cook ---
I'd be tempted to mark this as Failed QA until it addresses the security hole,
but I'll leave it up to the RM whether we do that or add a follow-up
--
You are receiving this mail because:
You are
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #19 from David Cook ---
(In reply to Tomás Cohen Arazi from comment #16)
> Do we need some form of validation for $return?
100%
The "return" param could either be window.location.pathname +
window.location.search so the
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #18 from Tomás Cohen Arazi ---
(In reply to Martin Renvoize from comment #17)
> Hmm, probably a good idea... You thinking something like a test that at the
> base matches OpacBaseURL?
At least the domain used to retrieve
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #17 from Martin Renvoize ---
Hmm, probably a good idea... You thinking something like a test that at the
base matches OpacBaseURL?
--
You are receiving this mail because:
You are watching all bug changes.
__
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Tomás Cohen Arazi changed:
What|Removed |Added
CC||tomasco...@gmail.com
--
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #15 from Martin Renvoize ---
I decided to split this into two bugs.. one for the generic return code and one
for the use of it in the biblio details comments tab.
I also added a minor follow-up on the subsequent bug to e
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #142734|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #142733|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Blocks||32125
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #13 from Martin Renvoize ---
(In reply to Katrin Fischer from comment #10)
> This works well and is an improvement.
>
> Tiny glitch: We return to the same page, but the active tab is 'holdings',
> instead of 'comments' n
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Katrin Fischer changed:
What|Removed |Added
See Also|https://bugs.koha-community |
|.org/b
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Katrin Fischer changed:
What|Removed |Added
See Also||https://bugs.koha-community
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #12 from Katrin Fischer ---
Created attachment 142734
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142734&action=edit
Bug 31699: Implement modal context return on opac-detail
This patch utilises the
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Katrin Fischer changed:
What|Removed |Added
Attachment #142204|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Katrin Fischer changed:
What|Removed |Added
Status|Signed Off |Passed QA
Patch complexi
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #10 from Katrin Fischer ---
This works well and is an improvement.
Tiny glitch: We return to the same page, but the active tab is 'holdings',
instead of 'comments' now. I was wondering: Maybe it would be nice to be able
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Katrin Fischer changed:
What|Removed |Added
QA Contact|testo...@bugs.koha-communit |katrin.fisc...@bsz-bw.de
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Version(s)||This patch adds the abilit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Keywords||rel_22_11_candidate
--
Y
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
David Cook changed:
What|Removed |Added
CC||dc...@prosentient.com.au
--
Y
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #9 from David Nind ---
(In reply to Martin Renvoize from comment #6)
> Thanks for testing David.. something wierd had crept in.. I've amended the
> patch (checking for boolean truthyness instead of comparing to a string)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
David Nind changed:
What|Removed |Added
Attachment #142201|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
David Nind changed:
What|Removed |Added
Attachment #142200|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
David Nind changed:
What|Removed |Added
Status|Needs Signoff |Signed Off
--
You are receivi
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Status|Failed QA |Needs Signoff
--- Comment
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #141421|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Attachment #141420|0 |1
is obsolete|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
David Nind changed:
What|Removed |Added
CC||da...@davidnind.com
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Blocks||31028
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Status|NEW |Needs Signoff
--
You are
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #2 from Martin Renvoize ---
Created attachment 141421
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=141421&action=edit
Bug 31699: Impliment modal context return on opac-detail.
This patch utilises the
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
--- Comment #1 from Martin Renvoize ---
Created attachment 141420
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=141420&action=edit
Bug 31699: Add 'return' option to opac modal login
This patch adds the option to
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31699
Martin Renvoize changed:
What|Removed |Added
Assignee|oleon...@myacpl.org |martin.renvoize@ptfs-europ
75 matches
Mail list logo
