{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":677375629,"defaultBranch":"ks23","name":"Koha-23x","ownerLogin":"KohaSuomi","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2023-08-11T12:17:55.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/12711169?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1726744000.0","currentOid":""},"activityList":{"items":[{"before":"587402321f6b8ffe6950b9ae7728e1327e252787","after":"35faefd170d4ab85ab8d541498009bf5519815a5","ref":"refs/heads/ksdev/ks-0189-KOHA-1419-add-bib-levels","pushedAt":"2024-09-24T05:47:19.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"johannaraisa","name":"Johanna Räisä","path":"/johannaraisa","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1818117?s=80&v=4"},"commit":{"message":"KS-1419: Add bib-level d to component part seach","shortMessageHtmlLink":"KS-1419: Add bib-level d to component part seach"}},{"before":null,"after":"587402321f6b8ffe6950b9ae7728e1327e252787","ref":"refs/heads/ksdev/ks-0189-KOHA-1419-add-bib-levels","pushedAt":"2024-09-19T11:06:40.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"johannaraisa","name":"Johanna Räisä","path":"/johannaraisa","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1818117?s=80&v=4"},"commit":{"message":"KS-1419: Add bib-level d to component part seach","shortMessageHtmlLink":"KS-1419: Add bib-level d to component part seach"}},{"before":null,"after":"6c6baf7030a1b5911a9bc60931abbc7c9cad1417","ref":"refs/heads/ksdev/ks-0181-KSU-23-utility-enhancement","pushedAt":"2024-09-16T18:16:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37508: Throw error if password column is detected in SQL report\n\nTHIS PATCH CONTAINS FOLLOWING PATCHES:\n\nThis enhancement prevents SQL queries from being run if they would return a password field from the database table.\n\nTo test:\n\n1. Run tests and notice they fail t/db_dependent/Reports/Guided.t\n\n2. Apply patch and restart services\n\n3. Create a public report with an SQL report which would access a password column in a database table\n4. Try to run the report. Notice you are met with an error and the results are not shown.\n5. Access the JSON URL, you should not get the results and should be shown an error\n6. Confirm tests pass t/db_dependent/Reports/Guided.t\n\nSponsored-by: Reserve Bank of New Zealand\nSigned-off-by: David Cook \n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: Test for errors when returning an aliased password column\n\nSigned-off-by: David Cook \n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: (follow-up) Throw error is password is in SQL query at all\n\nConfirm tests pass t/db_dependent/Reports/Guided.t\n\nSigned-off-by: David Cook \n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: (follow-up) Don't pass the column or sql containing password\n\nThis patch replaces these variables with a non-translatable message.\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: (QA follow-up) Move check to Koha::Report, extend\n\nDo not allow password but allow password_expiry_days etc.\nDo not allow token, secret and uuid too.\n\nTest plan:\nRun t/db_dependent/Koha/Reports.t\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: (QA follow-up) Use ->check_columns\n\nAdd shebang to Guided.t too.\n\nTest plan:\nSee also previous commits.\nTry sql like:\n select access_token from oauth_access_tokens\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: Don't return Internal server error when running report\n\nTo test:\n1 - Create a report like:\nSELECT \"a\"\nFROM borrowers\nWHERE <> != ''\n2 - Run report\n3 - Enter \"password\"\n4 - Internal server error / stacktrace\n5 - Apply patch\n6 - Repeat\n7 - Get a yellow warning box\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37508: (QA follow-up) Move sth error check up\n\nThis patch moves the error check right before the ->check_columns call.\nThis is how main and 24.05 behave. 23.11 doesn't have bug 35907\nbackported so things are not exactly the same. With this patch tests\npass and the only difference in behavior is logging.\n\nSigned-off-by: Tomas Cohen Arazi ","shortMessageHtmlLink":"Bug 37508: Throw error if password column is detected in SQL report"}},{"before":null,"after":"b23c97a6835b83ec715ae5629a738fba531cf95d","ref":"refs/heads/ksdev/ks-0183-KSU-25-utility-enhancement","pushedAt":"2024-09-16T18:16:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37323: Escape characters in patron image picture upload\n\nTHIS PATCH CONTAINS FOLLWING PATCHES:\n\nTo Test\n1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip\n where the domain is one you can watch the logs from.\n2. Go to Tools and click on Upload patron images choose option zip file and upload the file.\n3. Check /var/log/apache2/access.log and see the curl with the IP\n \"xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] \"GET / HTTP/1.1\" 200 267 \"-\" \"curl/7.68.0\"\n4. Apply the patch\n5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.\n6. Test uploading actual zip file and images still works.\n\nSigned-off-by: Chris Cormack \nSigned-off-by: David Cook \nSigned-off-by: Nick Clemens \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37323: Don't allow symlinks in link files in zip and validate filepaths\n\nTest plan:\n0. Apply patch and restart/reload Koha\n1. Test that uploading a patron image still works, in single file format and as a zip\n\nWork as suggested\n\nSigned-off-by: Amit Gupta \nSigned-off-by: David Cook \nSigned-off-by: Nick Clemens \nSigned-off-by: Tomas Cohen Arazi \n\nBug 37323: Tidy\n\nSigned-off-by: David Cook \nSigned-off-by: Nick Clemens \nSigned-off-by: Tomas Cohen Arazi ","shortMessageHtmlLink":"Bug 37323: Escape characters in patron image picture upload"}},{"before":null,"after":"b8fd2689aa5b84f44317c3cb4676d0b66974e0d5","ref":"refs/heads/ksdev/ks-0184-KSU-26-utility-enhancement","pushedAt":"2024-09-16T18:16:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37488: Validate paths in datalink.txt/idlink.txt files\n\nThis change validates the paths in datalink.txt/idlink.txt,\nso that only images in the unpacked archive directory are allowed\n\nTest plan:\n0. Apply the patch\n1. koha-plack --reload kohadev\n2. Create a datalink.txt file with the following:\n42,selfie.jpg\n3. Create a jpeg at selfie.jpg\n4. ZIP the datalink.txt and selfie.jpg files\n5. Upload to the \"Upload patron images\" tool\n(after enabling the \"patronimages\" system preference)\n6. Note that the image uploads correctly\n\nSigned-off-by: Nick Clemens \n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Tomas Cohen Arazi ","shortMessageHtmlLink":"Bug 37488: Validate paths in datalink.txt/idlink.txt files"}},{"before":null,"after":"cddcdc89d65997a1251130fc09962003b1b2b210","ref":"refs/heads/ksdev/ks-0185-KSU-27-utility-enhancement","pushedAt":"2024-09-16T18:16:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37466: Add correct filter for sort_by in results.tt\n\nThis patch replaces the $raw filter with the correct uri filter\nfor the sort_by in results.tt\n\nTest plan:\n1. Apply patch\n2. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=1\n3. Click on \"Edit this search\"\n4. Note that the \"Popularity (most to least)\" Sort by option is selected\n5. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=24y24ty2498294t9824yt9y23\n6. Click on \"Edit this search\"\n7. Note that the \"Popularity (most to least)\" Sort by option is selected\n\nSigned-off-by: Victor Grousset/tuxayo \nSigned-off-by: Aleisha Amohia \nSigned-off-by: Tomas Cohen Arazi ","shortMessageHtmlLink":"Bug 37466: Add correct filter for sort_by in results.tt"}},{"before":null,"after":"ce9b222dce0c8866883fece4833738cbeefa84ab","ref":"refs/heads/ksdev/ks-0182-KSU-24-utility-enhancement","pushedAt":"2024-09-16T18:16:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37464: Validate \"type\" sent to barcode/svc\n\nThis change validates the \"type\" sent to the barcode/svc. Without this\nchange, we pass the user input directly to GD::Barcode, which passes\nthe input into an eval{} block without any validation of its own.\n\nTest plan:\n0. Apply the patch\n1. koha-plack --reload kohadev\n2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456\n3. Note that a Code39 barcode is provided for an invalid type\n4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456\n5. Note that a Code39 barcode is provided\n6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456\n7. Note that a non-Code39 barcode is provided (presumably UPCE)\n\nSigned-off-by: Victor Grousset/tuxayo \nSigned-off-by: Aleisha Amohia \nSigned-off-by: Tomas Cohen Arazi ","shortMessageHtmlLink":"Bug 37464: Validate \"type\" sent to barcode/svc"}},{"before":"ecbd2768dbc13c46862eaf51dec9e44934ea64f2","after":"ac637dcfd2f6f6039efafab0cdb27bd9de508ce6","ref":"refs/heads/ksdev/ks-0022-K23-12-pendingreserves","pushedAt":"2024-09-12T06:57:32.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"Add default sort order and display length","shortMessageHtmlLink":"Add default sort order and display length"}},{"before":"282f14692595921622239982327dc9e0737e2621","after":"04c952fd68460313da3f1ac5b391f3d375277b8f","ref":"refs/heads/ksdev/ks-0015-K23-7-holds-page-REST","pushedAt":"2024-08-07T10:58:56.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"lasse-koha","name":null,"path":"/lasse-koha","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/120379398?s=80&v=4"},"commit":{"message":"Show active, triggered and inactive holds","shortMessageHtmlLink":"Show active, triggered and inactive holds"}},{"before":"3e00c0951d032ec88b1aac704e102d93379f98e0","after":"282f14692595921622239982327dc9e0737e2621","ref":"refs/heads/ksdev/ks-0015-K23-7-holds-page-REST","pushedAt":"2024-08-07T10:53:07.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lasse-koha","name":null,"path":"/lasse-koha","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/120379398?s=80&v=4"},"commit":{"message":"Show active, triggered and inactive holds","shortMessageHtmlLink":"Show active, triggered and inactive holds"}},{"before":"1c82cf07b824284579f1dfc68cdfa107200eac29","after":"b00b31600d88d7c904ac7430db67fe2dd81d4df8","ref":"refs/heads/ksdev/ks-0171-KSU-12-utility-enhancement","pushedAt":"2024-08-06T10:00:25.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37533: fix query in orderreceive.tt\n\nThe new validation in the REST API will no longer allow\nthe operator \"in\". Consequently, it has to be replaced\nwith the allowed \"-in\".\n\nTest plan:\n\n * Open an invoice and click \"Go to receipt page\" and\n on any basket click \"receive\" and make sure the dialog\n box appears.\n\nSigned-off-by: Aleisha Amohia \nSigned-off-by: David Cook ","shortMessageHtmlLink":"Bug 37533: fix query in orderreceive.tt"}},{"before":null,"after":"1c82cf07b824284579f1dfc68cdfa107200eac29","ref":"refs/heads/ksdev/ks-0171-KSU-12-utility-enhancement","pushedAt":"2024-08-06T04:24:29.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37018: Add 400 response definition to all routes\n\nThis patch adds a test for well defined 400 responses on all verbs and\npaths on the API spec.\n\nThe tests verify:\n\n* Presence of 400 response definition\n* The description must start with 'Bad request' (needs coding guideline)\n* If DBIC queries are allowed on the route, then `invalid_query` needs\n to be mentioned in the description.\n\nAll routes get fixed to make the tests pass.\n\nTo test:\n1. Apply this patch\n2. Run:\n $ ktd --shell\n k$ yarn api:bundle\n k$ prove xt/api.t\n=> SUCCESS: Tests pass!\n\nSigned-off-by: Tomas Cohen Arazi \nSigned-off-by: Martin Renvoize \n\nSigned-off-by: Jonathan Druart ","shortMessageHtmlLink":"Bug 37018: Add 400 response definition to all routes"}},{"before":null,"after":"aec8c32dc0ccfe8993f28c4a8fbc206e9f974c01","ref":"refs/heads/ksdev/ks-0174-KSU-15-utility-enhancement","pushedAt":"2024-08-06T04:24:29.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37247: Fix display of \"closed\"\n\nThe subscription was not shown as closed after we closed it.\nThis is because \"closed\" is not passed to the template.\nIt seems more reliable to rely on the subscription object (that is passed to both\nserials/serials-collection.tt and serials/subscription-detail.tt, the\nothers are not showing the Reopen/Close buttons)\n\nAlso fetch the subscription object after and reopen/close it to display\naccurate values.\n\nSigned-off-by: Chris Cormack \nSigned-off-by: Martin Renvoize ","shortMessageHtmlLink":"Bug 37247: Fix display of \"closed\""}},{"before":null,"after":"c02b70b917f3aca332bccc5731b1f05627aa23d8","ref":"refs/heads/ksdev/ks-0172-KSU-13-utility-enhancement","pushedAt":"2024-08-06T04:24:29.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37146: Prevent path traversal by validating input\n\nThis patch validates the plugin_name passed to plugin_launcher.pl\nagainst the base path containing the \"value_builder\" directory.\n\nTest plan:\n0. Apply the patch\n1. koha-plack --reload kohadev\n2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29\n3. Check that the tag editor for leader still works\n4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29\n5. Check that the pluginf or \"Date acquired\" still works\n\nSigned-off-by: Nick Clemens \nSigned-off-by: Chris Cormack ","shortMessageHtmlLink":"Bug 37146: Prevent path traversal by validating input"}},{"before":null,"after":"e93c7510aa8fdb5d3a1dacd067683e0dfe94d657","ref":"refs/heads/ksdev/ks-0173-KSU-14-utility-enhancement","pushedAt":"2024-08-06T04:24:29.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 37210: Escape single quote in search string in overdue.pl\n\nTo Test:\n1. Go to /cgi-bin/koha/circ/overdue.pl\n2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»\n3. Apply the filter\n ==> It takes 10 seconds, sleep(10) is executed\n4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value\n5. select the option from the filter and Apply the filter\n ==> It takes 10 seconds, sleep(10) is executed\nwe can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch\n6. Apply the patch\n7. Repeat step 1,2,3\n ==> it doesn't take 10 seconds, the injected sql is not executed\n8. Repeat step 5\n==> it doesn't take 10 seconds, the injected sql is not executed\n9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch\n ==> it doesn't take 10 seconds, the injected sql is not executed\n\nSigned-off-by: Chris Cormack \n\nSigned-off-by: Marcel de Rooy ","shortMessageHtmlLink":"Bug 37210: Escape single quote in search string in overdue.pl"}},{"before":"f3a290480c613acb7ec336a37195bf43ac39cb67","after":"504bfa4462b2bc07c7ce5562a6ec32aa0721711c","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-08-05T11:31:53.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"Bug 36292: Fixed 'See all charges' hyperlink for guarantees/guarantor linked charges","shortMessageHtmlLink":"Bug 36292: Fixed 'See all charges' hyperlink for guarantees/guarantor…"}},{"before":null,"after":"031eef71e8924c879b24d41c7f256e78d12db4bc","ref":"refs/heads/ksdev/ks-0035-K23-23-no-scripts-in-sysprefs","pushedAt":"2024-08-02T13:11:08.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"CodoDerDritte","name":"Kodo Korkalo","path":"/CodoDerDritte","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13198085?s=80&v=4"},"commit":{"message":"KD-4346 Prevent harmful tags in system preferences\n\nPrevent using certain potentially harmful HTML-tags in system\npreferences.","shortMessageHtmlLink":"KD-4346 Prevent harmful tags in system preferences"}},{"before":"4e9fd43a887815c12bba0140f327fb7ffb66bc06","after":"b3973a42e680338fd089abfedbe64f393f3efaea","ref":"refs/heads/ksdev/ks-0163-G1308-fix-bypass-checkout-restriction","pushedAt":"2024-07-04T09:43:28.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"Bug 36139: Bug 35518 (follow-up) to fix AutoSwitchPatron - clear variables\n\nBug 35518 moved some code blocks to after the call to\nget_user_and_template() so that userenv would be populated before it\nwas needed. This caused a couple variables to be set before the\nAutoSwitchPatron block could prevent them from being set. Which broke\nAutoSwitchPatron functionality. This clears two variable so that\nAuthSwitchPatron works again.\n\nThe AutoSwitchPatron clears the $borrowernumber variable to switch\npatrons. With the AuthSwitchPatron block moved, the $patron variable\nstill gets set, and the patron doesn't get switched. The clears the\n$patron variable too.\n\nAlso clear the barcode list.\nThe AutoSwitchPatron block got moved, and now the @$barcodes variable\ngets filled and not cleared. Leading to a 'Barcode not found' error\nwhen the patron is auto switched.\n\nTest plan:\n1. Ensure AutoSwitchPatron is turned on.\n2. Select the card number of two patron accounts.\n3. Find the first patron in circulation.\n4. Enter the second patron's card number in the item barcode field to\n switch patrons.\n5. Observe the error about item barcode not existing, and the patron did\n not switch.\n6. Apply patch and restart services.\n7. Enter the second patron's card number in the item barcode field\n again.\n8. Observe that the patron was switched with no error about an invalid\n barcode.\n\nkidclamp amended patch - tidy and fix commmit message\n\nSigned-off-by: David Nind ","shortMessageHtmlLink":"Bug 36139: Bug 35518 (follow-up) to fix AutoSwitchPatron - clear vari…"}},{"before":null,"after":"4e9fd43a887815c12bba0140f327fb7ffb66bc06","ref":"refs/heads/ksdev/ks-0163-G1308-fix-bypass-checkout-restriction","pushedAt":"2024-07-03T10:19:05.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"Bug 35518: Check authentication and set userenv before fetching userenv variables\n\nCurrently we get the userenv before we have set it correctly for the session\n\nTo test:\n 1 - Sign in as a user with fast cataloging permission\n 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link\n 3 - Check the link, it should have your current signed in barcode\n 4 - Sign in to a different browser with a different user and at a different branch\n 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link\n 6 - It may have your branch, but it may also have the other user's branch from the other window\n 7 - Keep entering gibberish to get a link until one user has the correct branch\n 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change\n 9 - Apply patch, restart all\n10 - Test switching between browsers. generating fast cataloging links\n11 - Users should now consistently have the correct branch\n\nSigned-off-by: David Nind \nSigned-off-by: Martin Renvoize \n(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)\nSigned-off-by: Fridolin Somers ","shortMessageHtmlLink":"Bug 35518: Check authentication and set userenv before fetching usere…"}},{"before":null,"after":"32c43a798199bac76f3db3b827ede8b1add64132","ref":"refs/heads/ksdev/ks-0159-KSU-5-utility-enhancement","pushedAt":"2024-06-24T18:56:24.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 36520: Prevent SQL injection in GetPreparedLetter\n\nThis patch contains following patches:\n\nBug 36520: Add tests\n\nSigned-off-by: Victor Grousset/tuxayo \n\nSigned-off-by: Marcel de Rooy \n(cherry picked from commit ebbab1b398a97ecc884d4cbf22d5bd4239e014cb)\nSigned-off-by: Fridolin Somers \n\nBug 36520: Prevent SQL injection in GetPreparedLetter\n\nActually in _get_tt_params\n\nThe following query will delay the response\n\nSELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`\n, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`\n FROM `biblio` `me`\nWHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'\nORDER BY field( biblionumber, 1 ) AND (\n SELECT 1\n FROM\n SELECT SLEEP( 6 ) x\n ) -- - )\n\nTo test\n1/ Add some items to your cart in the opac\n2/ Choose send cart\n3/ Open firefox developer tools and switch to the network tab\n4/ Send cart\n5/ In the network tab, find the post request and choose copy as curl\n6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter\n7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added\n8/ Apply the patch and restart plack\n9/ Run the modified curl and notice no longer the slow down\n10/ Test in browser and make sure the basket is still sent\n\nSigned-off-by: Chris Cormack \nSigned-off-by: Victor Grousset/tuxayo \n\nSigned-off-by: Marcel de Rooy \n(cherry picked from commit 0b3c98b0ba01ea5c886ecfe8eef174b5b7c6ec25)\nSigned-off-by: Fridolin Somers \n\nBug 36520: Sanitize input in opac-sendbasket.pl\n\nTo test\n1/ Add some items to your cart in the opac\n2/ Choose send cart\n3/ Open firefox developer tools and switch to the network tab\n4/ Send cart\n5/ In the network tab, find the post request and choose copy as curl\n6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter\n7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added\n8/ Apply the patch and restart plack\n9/ Run the modified curl and notice no longer the slow down\n10/ Test in browser and make sure the basket is still sent\n\nSigned-off-by: Amit Gupta \nSigned-off-by: Martin Renvoize \nSigned-off-by: Victor Grousset/tuxayo \n\nSigned-off-by: Marcel de Rooy \n(cherry picked from commit 2f3f42ba98b698871bc473d65a14b5e89d0ae86c)\nSigned-off-by: Fridolin Somers ","shortMessageHtmlLink":"Bug 36520: Prevent SQL injection in GetPreparedLetter"}},{"before":null,"after":"acad016e3cb4b3a62d906ff22259aaab1f61d50b","ref":"refs/heads/ksdev/ks-0161-KSU-8-utility-enhancement","pushedAt":"2024-06-24T18:56:24.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 36875: Do not pass unsanitized language to $page->translated_content\n\nTest plan:\nTry to access opac-page.pl with a language not in OPACLanguages.\nVerify that this 'language' was not passed to sql. Simplest perhaps\nby debugging AdditionalContent.pm. Something like:\n sub translated_content {\n my ( $self, $lang ) = @_;\n+warn \"L137: $lang\";\nNow have a public additional_contents page and hit it:\n /cgi-bin/koha/opac-page.pl?page_id=5&language=badsql\nCheck your log and find:\n[2024/05/16 07:25:53] [WARN] L137: en at [etc] line 137.\nSo badsql was caught.\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Victor Grousset/tuxayo \nSigned-off-by: Martin Renvoize \n(cherry picked from commit 1a9e3647095eaf9563db59bd8b3a759a0875cc39)\nSigned-off-by: Fridolin Somers \n\nTHIS PATCH ALSO CONTAINS FOLLOWING PATCHES FROM COMMUNITY:\n\nBug 36875: Staff counterpart\n\nSame change.\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Victor Grousset/tuxayo \nSigned-off-by: Martin Renvoize \n(cherry picked from commit 73423bd894d5365ac491c92c6d5576052e4732f0)\nSigned-off-by: Fridolin Somers \n\nBug 36875: Unit test\n\nTest plan:\nRun Koha/AdditionalContents.t without next patch.\nShould fail on the sleep execution.\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Victor Grousset/tuxayo \nSigned-off-by: Martin Renvoize \n(cherry picked from commit 58573f139427fa15c2c600edc65d0d263cd00222)\nSigned-off-by: Fridolin Somers \n\nBug 36875: (follow-up) Modify query in translated_content\n\nThis removes the MySQLism for FIELD(..).\nIn this case we just want to get the non-default records in\nthe front. So we can just test lang=default. And prevent inserting\n$lang in the expression. And so prevent execution in ORDER BY.\nNo longer needing the ->quote call too.\n\nTest plan:\nRun Koha/AdditionalContents.t again.\n\nSigned-off-by: Marcel de Rooy \nSigned-off-by: Victor Grousset/tuxayo \nSigned-off-by: Martin Renvoize \n(cherry picked from commit c16f5c61849460489992977812f020ec7fa5c9f3)\nSigned-off-by: Fridolin Somers ","shortMessageHtmlLink":"Bug 36875: Do not pass unsanitized language to $page->translated_content"}},{"before":null,"after":"fa51106e831ba263b869d802e747add23251a21b","ref":"refs/heads/ksdev/ks-0160-KSU-7-utility-enhancement","pushedAt":"2024-06-24T18:56:24.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"emta001","name":"Emmi Takkinen","path":"/emta001","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/37581745?s=80&v=4"},"commit":{"message":"Bug 36818: Escape characters in file names uploaded\n\nTo test:\n1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'\n Where the domain is one you can watch the logs from\n2/ Upload this file as a cover image\n3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames\n4/ Choose process, check the logs of the webserver see the connection has been made\n5/ Apply the patch\n5/ Repeat 2 & 3 and see the filename is now escaped\n6/ Choose process and check no errors but no no remote execution occurs\n7/ Test uploading actual zip file and images still works\n\nSigned-off-by: Amit Gupta \nSigned-off-by: Martin Renvoize \n(cherry picked from commit 14bdaae3f257a321f8ec0d32c6b1e9bc6ed6033d)\nSigned-off-by: Fridolin Somers ","shortMessageHtmlLink":"Bug 36818: Escape characters in file names uploaded"}},{"before":"a451a2c4d37689628915d467241f328275b8abae","after":"f3a290480c613acb7ec336a37195bf43ac39cb67","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-06-20T06:55:27.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"G1173 Show guarantees' total charges","shortMessageHtmlLink":"G1173 Show guarantees' total charges"}},{"before":"0c95d3ca98e77f6201993cafb9b2cc4a5650035a","after":"a451a2c4d37689628915d467241f328275b8abae","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-06-20T06:17:00.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"G1173 Show guarantees' total charges","shortMessageHtmlLink":"G1173 Show guarantees' total charges"}},{"before":"7991770157667ab0169308e19848bbf2f4195213","after":"0c95d3ca98e77f6201993cafb9b2cc4a5650035a","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-06-19T13:29:19.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"G1173 fixes","shortMessageHtmlLink":"G1173 fixes"}},{"before":"d302788ce5d56e45d949e8928c4dce06b8c00110","after":"7991770157667ab0169308e19848bbf2f4195213","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-06-19T13:27:28.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"G1173 fixes","shortMessageHtmlLink":"G1173 fixes"}},{"before":"75833316309affbfc35338c2db5e7c163c12cd2e","after":"d302788ce5d56e45d949e8928c4dce06b8c00110","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-06-19T13:14:54.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"G1173 fixes","shortMessageHtmlLink":"G1173 fixes"}},{"before":"690b48e6087ab67104fb3524598726ee619fea61","after":"75833316309affbfc35338c2db5e7c163c12cd2e","ref":"refs/heads/ksdev/ks-0122-on-0032-KD-G762-include-all-charges-for-totals-in-intranet","pushedAt":"2024-06-19T12:48:23.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"G1173 Show guarantees' total charges","shortMessageHtmlLink":"G1173 Show guarantees' total charges"}},{"before":"97a2fe4c8da17367c5b7069211846896e32efc35","after":"5f5b1c3778d6a33565ef15d1f0cd8b93b45ecddf","ref":"refs/heads/ksdev/ks-0043-K23-15-SIP2","pushedAt":"2024-06-18T08:27:36.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lmstrand","name":"Lari Strand","path":"/lmstrand","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/18394834?s=80&v=4"},"commit":{"message":"Bug 37016: Invalid due date in SIP renew response\n\nTest plan using koha-testing-docker:\n\n1) Make sure SIP is running. You may need to edit\n /etc/koha/sites/SIPconfig.xml and remove the 8023 connector and\n restart the SIP-server (koha-sip --restart kohadev)\n2) Find a patron, say 23529000197047\n3) Set a password by selecting \"change password\", set it to\n \"Password1234\"\n4) Find a book, say 39999000000856\n5) Issue book to patron with sip-client:\n sudo koha-shell -c \"/usr/share/koha/bin/sip_cli_emulator.pl \\\n --address localhost --port 6001 -t cr \\\n --su term1 --sp term1 --message checkout \\\n --location CPL --item 39999000000856 \\\n --patron 23529000197047 --password Password1234\"\\\n kohadev\n6) Note the AH-header in the response which for example:\n 'AH20240619 235900'\n7) Make a renewal with:\n sudo koha-shell -c \"/usr/share/koha/bin/sip_cli_emulator.pl \\\n --address localhost --port 6001 -t cr \\\n --su term1 --sp term1 --message renew \\\n --location CPL --item 39999000000856 \\\n --patron 23529000197047 --password Password1234\"\\\n kohadev\n8) Make sure the AH-header in the response is different from the\n response to the checkout, for example: 'AH20240624 235900'\n\nSigned-off-by: Tadeusz „tadzikâ€� SoÅ›nierz ","shortMessageHtmlLink":"Bug 37016: Invalid due date in SIP renew response"}},{"before":"34d4100c29de4af81e091011edab10d2d056a9a9","after":"3e00c0951d032ec88b1aac704e102d93379f98e0","ref":"refs/heads/ksdev/ks-0015-K23-7-holds-page-REST","pushedAt":"2024-06-17T11:02:19.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"lasse-koha","name":null,"path":"/lasse-koha","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/120379398?s=80&v=4"},"commit":{"message":"Show number of active and inactive holds","shortMessageHtmlLink":"Show number of active and inactive holds"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yNFQwNTo0NzoxOS4wMDAwMDBazwAAAAS-uwV5","endCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wNi0xN1QxMTowMjoxOS4wMDAwMDBazwAAAARnRfpe"}},"title":"Activity · KohaSuomi/Koha-23x"}