Koha-community/Koha: Main Koha release repository - Koha: The world's first free and open source library system

Main Koha release repository https://koha-community.org

Find a file

Jonathan Druart f01720808a Bug 16593: Do not allow patrons to delete search history of others patrons A malicious user can delete the search history of all other users by correctly guessing the ID value assigned to the victim's search. As searches are assigned values sequentially, an attacker could quickly remove the searches belonging to all of the application's users. To reproduce: Login with patron A launch a search Note the id generated for this search history: select id from search_history order by id desc limit 1; Login with patron B Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID> Note that the row is deleted in the DB Test plan Confirm that this patch fixes the issue. The same test can be made at the staff interface Reported by Alex Middleton at Dionach Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>		2016-06-24 11:47:29 +00:00
acqui	Bug 15531: (QA followup) Fix several small issues	2016-04-29 13:07:18 +00:00
admin	Bug 13074: Use Koha::Cache to cache the defaults values of a MARC record	2016-06-17 14:29:59 +00:00
api/v1	Bug 13903: (QA followup) change routes to /holds	2016-05-04 13:54:01 +00:00
authorities	Bug 16154: CGI->multi_param - Force scalar context	2016-04-26 23:16:43 +00:00
basket	Bug 16447: Remove occurrence of the borrow permission which does no longer exist	2016-05-05 21:28:14 +00:00
C4	Bug 16534: (followup) - Tidy AddIssue	2016-06-24 11:45:01 +00:00
catalogue	Bug 16593: Do not allow patrons to delete search history of others patrons	2016-06-24 11:47:29 +00:00
cataloguing	Bug 16154: CGI->multi_param - Force scalar context	2016-04-26 23:16:43 +00:00
circ	Bug 16527: Restore sticky due date behavior	2016-06-24 11:46:35 +00:00
course_reserves	Bug 16154: CGI->multi_param - Force scalar context	2016-04-26 23:16:43 +00:00
debian	Bug 16647: update debian/control for 16.*	2016-06-10 17:06:36 +00:00
docs	Revert "Bug 7143 - Bug for tracking changes to the about page"	2016-06-04 15:46:28 +03:00
errors	Bug 15288: Error pages: Code duplication removal and better translatability	2016-01-27 05:57:34 +00:00
etc	Bug 15555: Index 024$a into Identifier-other:u url register when source $2 is uri	2016-04-29 13:19:28 +00:00
install_misc	Bug 15303 Letsencrypt option for Debian package installations	2016-04-29 13:04:31 +00:00
installer	Bug 10459 - DBRev 16.06.00.002	2016-06-10 17:15:21 +00:00
Koha	Bug 16720: Remove DBIx ActionLogs.pm	2016-06-17 14:37:55 +00:00
koha-tmpl	Bug 16534: (followup) Correct tiny typo	2016-06-24 11:45:01 +00:00
labels	Bug 16154: CGI->multi_param - Assign a list	2016-04-26 23:16:43 +00:00
members	Bug 14605 - Corrects the individual fine's description	2016-06-10 17:34:08 +00:00
misc	Bug 16672: Fix typo unqiue vs unique	2016-06-17 15:45:54 +00:00
offline_circ	Bug 15764: Fix timestamp sent by KOCT	2016-02-23 20:53:18 +00:00
opac	Bug 16593: Do not allow patrons to delete search history of others patrons	2016-06-24 11:47:29 +00:00
OpenILS	Bug 9239 QA follow-up: remove stray debug code	2013-03-16 21:32:34 -04:00
patron_lists	Bug 16154: CGI->multi_param - Force scalar context	2016-04-26 23:16:43 +00:00
patroncards	Bug 16747 - Patron card creator broken with version 16.05	2016-06-21 20:48:50 +00:00
plugins	Bug 14951: Remove C4::Dates from plugins/*.pl files	2015-10-06 10:29:42 -03:00
reports	Bug 16594: Fix obvious QA issues from bug 11371	2016-06-17 14:53:45 +00:00
reserve	Bug 16693: Remove reserve/renewscript.pl	2016-06-17 15:58:03 +00:00
reviews	Bug 14779: Cannot paginate reviews	2015-09-07 11:38:26 -03:00
rotating_collections	Bug 15066: Make transfer rotating collection works under Plack	2015-11-05 09:50:09 -03:00
selenium	Adding selenium tests for filterMembers	2009-09-30 11:30:37 +02:00
serials	Bug 16154: Fix some other occurrences	2016-04-26 23:16:44 +00:00
services	Bug 9978: Replace license header with the correct license (GPLv3+)	2015-04-20 09:59:38 -03:00
skel	Bug 11078: Add locking to rebuild_zebra	2014-02-28 22:21:41 +00:00
sms	Bug 15258: Fix Perl scripts declaring unused variables	2015-12-30 17:24:45 -07:00
suggestion	Bug 16154: CGI->multi_param - Declare a list	2016-04-26 23:16:42 +00:00
svc	Bug 16508: Updating a syspref requires parameters_remaining_permissions	2016-06-06 17:33:18 +00:00
t	Bug 16534: Add tests for AddIssue	2016-06-24 11:45:00 +00:00
tags	Bug 16154: CGI->multi_param - Assign a list	2016-04-26 23:16:43 +00:00
test	Bug 9819 - 'stopwords'-related code removed	2015-12-30 15:49:35 +00:00
tmp/modified_authorities
tools	Bug 16148 - Revised layout and behavior of marc modification template management	2016-06-17 16:11:43 +00:00
virtualshelves	Bug 16484 - Virtualshelves: Using no XSLTResultsDisplay breaks content display in intranet	2016-05-23 17:25:24 +00:00
xt	Bug 16174: (QA followup) Fix remaining tests	2016-04-01 19:11:33 +00:00
.editorconfig	Bug 12545: Add EditorConfig.org file to the source tree	2014-08-22 11:07:45 -03:00
.htaccess	Fix file permissions: if it is not a script, it should not be executable.	2010-04-16 00:40:34 -04:00
.mailmap	(RM followup) .mailmap updates	2015-05-22 17:02:21 -03:00
about.pl	Bug 12721 - Syspref StatisticsFields: Warning on About page and text change in System preferences	2016-04-29 02:48:30 +00:00
changelanguage.pl	Bug 9978: (followup) Replace license header with the correct license (GPLv3+)	2015-04-20 09:59:43 -03:00
edithelp.pl	Bug 16447: Remove occurrence of the borrow permission which does no longer exist	2016-05-05 21:28:14 +00:00
fix-perl-path.PL	Bug 9978: (followup) Replace license header with the correct license (GPLv3+)	2015-04-20 09:59:43 -03:00
help.pl	Bug 14812: Display the help in the correct language	2015-10-02 15:06:08 -03:00
INSTALL	Bug 7759, update of install files to use background indexing (and some whitespace tidy)	2012-04-20 16:11:52 +02:00
install-CPAN.pl	Bug 9978: Replace license header with the correct license (GPLv3+)	2015-04-20 09:59:38 -03:00
INSTALL.debian	Bug 8092 follow-up: Add optional dependency on CHI	2012-06-09 13:08:18 +02:00
INSTALL.fedora7	Bug 13642 - Remove MARC::Crosswalk::DublinCore from Koha	2016-01-27 06:23:08 +00:00
INSTALL.opensuse	Bug 11757: remove dependency on POE	2014-02-15 01:38:15 +00:00
INSTALL.ubuntu	Bug 7764: (follow-up) editorial tweaks	2013-10-04 16:27:55 +00:00
Koha.pm	Bug 10459 - DBRev 16.06.00.002	2016-06-10 17:15:21 +00:00
koha_perl_deps.pl	bug 10548: fix count of missing required dependencies by koha_perl_deps.pl	2013-07-11 14:03:32 +00:00
kohaversion.pl	Bug 13758: Move the Koha version from kohaversion.pl	2015-05-07 11:39:04 -03:00
LICENSE	Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3	2013-02-12 08:52:10 -05:00
mainpage.pl	Bug 15548: Move new patron related code to Patron*	2016-03-03 14:38:26 -07:00
Makefile.PL	Bug 16222: (QA followup) Add /api dir for the API	2016-04-20 21:18:36 +00:00
MANIFEST.SKIP	Bug 9546 : Updating make manifest tardist	2013-02-06 23:54:46 -05:00
README	Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3	2013-02-12 08:52:10 -05:00
README.md	Bug 15465 [QA Followup] - Update wording, switch logo, add links	2016-02-24 04:02:26 +00:00
README.robots	Bug 6411 add another example to README.robots	2011-07-05 14:48:05 +12:00
rewrite-config.PL	Bug 16222: (QA followup) Add /api dir for the API	2016-04-20 21:18:36 +00:00

README.md

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-comminity.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/