Time Nick Message 19:58 tcohen hi cait 19:53 cait hi tcohen 19:25 rambutan yea, I could 19:25 cait i think there is an old thread, but probably could just start a new one 19:25 cait i think you could use the mailing list 19:24 rambutan hi cait 19:24 cait hi rambutan 19:24 rambutan is there any place to post comments on the CoC? 19:23 * cait wave 15:50 fridolin see u 15:36 Joubu have a good weed-end #koha! 15:16 cait bye all 15:16 cait i will try to get back to this one soon :) 15:15 cait i guess the tests might pass for you too... maybe some data problem 15:14 cait but couldn't figure it out :) 15:13 cait i thought as Paola tested it, it's like to be configuration or somethong on my side 15:13 Joubu thanks 15:13 cait so you can probably scratch 6) then :) 15:13 Joubu Yep, I had the same problem :) 15:13 cait aha! 15:13 Joubu ok, you had to logout/login 15:13 cait hm no i entered it and saved it 15:13 Joubu or did you define it to test this patch? 15:12 Joubu did you have already a primary email? 15:12 cait :( 15:12 cait i would have been a bit faster if my mobile broadband didn't decide to die and disappear 15:12 Joubu cait: just a quick question, about 6) 15:12 cait :) 15:12 Joubu thanks to QA 5342 :) 15:12 cait only for a quick moment more 15:12 Joubu cait: around? 14:27 huginn rambutan: The current temperature in Wyatt Park, St Joseph, Missouri is 19.8°C (9:27 AM CDT on September 26, 2014). Conditions: Mostly Cloudy. Humidity: 81%. Dew Point: 16.0°C. Pressure: 30.16 in 1021 hPa (Rising). 14:27 rambutan @wunder 64507 14:03 huginn druthb: The current temperature in Briargrove Park, Houston, Texas is 24.3°C (9:02 AM CDT on September 26, 2014). Conditions: Clear. Humidity: 68%. Dew Point: 18.0°C. Pressure: 30.06 in 1018 hPa (Steady). 14:03 druthb @wunder 77063 13:08 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13000 enhancement, P5 - low, ---, gmcharlt, NEW , Split additem.pl into three tabs to allow implicit posting of the form with [enter] 13:08 Viktor bug 13000 13:08 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13 normal, P2, ---, chris, CLOSED FIXED, aqbooksellers.pl is missing in /admin/ directory 13:08 Viktor I happened to get bug 13 000 for something I wanted to discuss. Not shure if that's a good sign or not :) 13:07 Viktor Hi #koha 12:55 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12899 normal, P5 - low, ---, oleonard, Pushed to Stable , Row grouping in checkouts table is alphabetical and layout depends on words chosen in translation 12:55 oleonard It was my fix for Bug 12899 that broke sorting by date due of checkouts on the circ page 12:55 cait oleonard: which piece of code is blaming you? 12:53 Joubu :) 12:53 oleonard I have a feeling it's going to take the whole box 12:53 * cait hands oleonard the box of cookies 12:52 oleonard Ugh. git blame me, again. 12:52 cait 7 = claimed :) 12:52 cait thx, i am looking at serials-collection.tt :) 12:52 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11814 enhancement, P5 - low, ---, jonathan.druart, Needs Signoff , Serial statuses should be stored in constants 12:52 Joubu cait: bug 11814, there is a list of serial status in it 12:51 Joubu cait: yes. There is another patch, but still stuck in NSO I believe 12:50 cait hm maybe in the template 12:50 cait Joubu: do you know where we have a list of the numerical serial status? 12:50 Joubu cait: yep, thanks! 12:50 cait but probably not bad adding the line 12:50 cait not sure why the qa script picked it up 12:50 cait i know 12:49 Joubu cait: ok. The patch does not change the pod... 12:49 cait around line 26xx 12:48 cait for me it complained in serials.pm about a missing blank line before the =cut too 12:48 cait i fixed that too 12:48 Joubu on which file did you get the pod error? 12:48 Joubu cait: weird, I only get a warning on claims.tt about a tab chat 12:47 cait don't worry, i will continue testing :) 12:46 cait i have a tiny follow up adding a blank line - that seems to fix it 12:46 cait yep 12:46 Joubu cait: 5342 ? 12:45 cait i am looking at the serials claiming patch and the qa script noted aproblem with the pod 12:45 cait i thik i figured it out 12:45 cait ah :) 12:45 Joubu cait: yep 12:37 cait Joubu: around? 12:31 huginn cait: The current temperature in Bochum Weitmar, Bochum, Germany is 16.7°C (2:25 PM CEST on September 26, 2014). Conditions: Mostly Cloudy. Humidity: 98%. Dew Point: 16.0°C. Pressure: 30.18 in 1022 hPa (Steady). 12:31 cait @wunder Bochum 12:31 huginn cait: Error: No such location could be found. 12:31 cait @wunder Dortmund 12:27 oleonard I find that sorting checkouts by date due in circulation is broken in master 12:17 * cait1 tries to do a git bz attach but internet not working well :( 12:17 huginn cait1: The current temperature in Bo Alto de San Martin, Cordoba City, Argentina is 15.0°C (9:15 AM ART on September 26, 2014). Conditions: Scattered Clouds. Humidity: 36%. Dew Point: 0.0°C. Pressure: 30.24 in 1024 hPa (Rising). 12:17 cait1 @wunder Cordoba, Argentina 12:11 * cait waves from another train 12:06 tcohen hola Magnus 12:05 magnuse ¡hola! 12:02 tcohen morning 12:02 tcohen heh 11:59 oleonard Sweet. 11:59 wahanui sql whatcha-ma-jigger is http://wiki.koha-community.org/wiki/SQL_Reports_Library 11:59 oleonard sql whatcha-ma-jigger? 11:58 oleonard Hi #koha 10:27 cait ashimema: around? 09:51 huginn cait: The current temperature in Taegerwilen, Taegerwilen, Germany is 12.2°C (11:50 AM CEST on September 26, 2014). Conditions: Overcast. Humidity: 91%. Dew Point: 11.0°C. Pressure: 30.33 in 1027 hPa (Steady). 09:51 cait @wunder Konstanz 08:03 Joubu thanks magnuse! :) 08:01 * magnuse commented on the bug 07:58 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10473 normal, P3, ---, amitddng135, Signed Off , Prompt for confirmation if more than 99 items are being added 07:58 Joubu bug 10473 07:58 Joubu hum... not this one 07:57 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10743 enhancement, P5 - low, ---, nengard, RESOLVED FIXED, add style to privacy rules 07:57 Joubu magnuse: what do you think about the new patch on bug 10743? 07:36 cait bye all... spending another day on atrain 07:28 gaetan_B hello 07:14 fridolin hie all 07:02 dcook So exciting 07:02 dcook Holiday loooooooms! 07:02 dcook Ahhh 06:56 wahanui what's up, Joubu 06:56 Joubu Bonjour 06:49 alex_a bonjour 06:38 reiveune hello 06:19 cait kia ora :) 06:10 magnuse kia ora cait 05:53 dcook Scrambling to finish up a few things all at once in my last hour or so of work ;) 05:53 dcook hehe 05:51 huginn magnuse: The current temperature in Bodo, Norway is 8.0°C (7:20 AM CEST on September 26, 2014). Conditions: Light Rain. Humidity: 81%. Dew Point: 5.0°C. Windchill: 4.0°C. Pressure: 29.09 in 985 hPa (Falling). 05:51 magnuse @wunder boo 05:51 magnuse in da house! 05:51 magnuse wassup dcook 05:36 dcook yo magnuse 05:32 * magnuse waves 04:56 dcook continues to be* 04:55 dcook Resetting this iPad has been such a labour.. 04:55 dcook Bloody Apple... 04:50 dcook Thanks, eythian! 04:27 eythian ! 04:27 eythian bye dcook, enjoy Greece 04:27 eythian hi dcook 04:19 dcook Enjoy beer o'clock! 04:19 dcook Also lots of photos. 04:19 dcook We'll be safe and have fun! 04:19 dcook I'll try to have a both excellent and great time :) 04:19 dcook Thanks, wizzyrea :) 04:19 dcook :) 04:18 wizzyrea redundant wizzy is redundant 04:18 wizzyrea ok, well it's beer o'clock in NZ, dcook, have an excellent time, take lots of pictures, have a great time, and come home safely. 02:10 * dcook just likes collecting well wishes he guesses 02:10 wizzyrea oh never mind then. 02:09 dcook Still 5 hours before I head out for the day :) 02:09 dcook thanks wizzyrea :) 01:57 wizzyrea have fun dcook 01:53 dcook Have a good Kohacon! 01:53 dcook Err talk to you in a month 01:53 dcook See you in a month :) 01:53 dcook night tcohen :) 01:52 tcohen night #koha 01:40 dcook Yee-ah. That's what I'm talkin' 'bout. 01:30 * dcook has a feeling Maven is saying build successful when it's actually not... 01:30 dcook Mmmm.. 01:28 dcook DSpace should have a more global community, so I wouldn't have to rant about DSpace related things to you folks :p 01:28 dcook Mmm, I have an ideer.. 01:27 dcook Well, Maven that's killing me.. 01:25 dcook I already installed the third party library.. 01:25 dcook wth... Java, you're killing me 01:25 * dcook suspects perhaps that it is not actually the AP 01:25 dcook Is it verified? 01:25 dcook wizzyrea: Yeah, they followed me a while ago too. It's weird. 01:25 wizzyrea on twitter. 01:25 dcook Probably 01:25 wizzyrea I want to know why the australia post just followed me. 01:24 eythian but I think that's specific to those manufacturers. 01:24 dcook Just lots of comics O_O 01:24 eythian it looks like some models wipe at 10 01:24 dcook Nothing unique that is 01:23 dcook Of course, I don't keep anything on my tablet 01:23 wizzyrea can't say I've ever messed it up that many times. 01:23 dcook Interesting :) 01:23 eythian p'raps 01:23 dcook 25 sounds familiar.. 01:23 eythian I've heard it happening to people. 01:23 dcook 25 maybe? 01:23 wizzyrea (oops) 01:23 eythian It takes quite a few goes 01:23 eythian which apparently is an issue if you have wifi off on a tablet. 01:23 wizzyrea i haven't ever had that problem 01:23 dcook eythian: Might be a setting for that? Or maybe I just enter my password correctly most of the time 01:23 eythian but they lock out to require your google creds I think 01:22 eythian androids lock out 01:22 wizzyrea yeah same 01:22 * dcook enjoys his Android tablet and phone 01:22 dcook I liked my ipod classic, but since it was getting older and ultimately stolen, I don't miss Apple 01:21 dcook Since it's Apple, it would be pretty easy too 01:21 dcook Hmm, doable though 01:21 wizzyrea that would require effort for them though. 01:21 wizzyrea they could 2 factor it, make you login online and (send an email, text, phone call, etc) 01:20 wizzyrea that seems excessive. 01:20 wizzyrea locking people out and requiring a factory wipe though 01:19 wizzyrea possibly so 01:05 dcook I think you can plug away endlessly at an Android device 01:05 dcook Honestly, I kind of like this idea. 01:04 dcook Then the security of protecting your data on your device becomes a bit moot 01:04 dcook Of course, if you backup to the cloud, and your cloud gets hacked anyway... 01:03 dcook Being able to remotely erase a device is certainly different to remotely unlocking. 01:03 dcook It would be hackable. 01:03 dcook When compared with the blood sample, sure :p 01:02 wizzyrea ^.^ 01:02 wizzyrea that is nowhere near secure enough. 01:02 dcook Or even say your Apple ID and password 01:02 wizzyrea and presenting an original of the purchase receipt 01:01 wizzyrea after logging in and giving a blood sample 01:01 dcook That would just make sense :) 01:01 dcook Nopes 01:01 wizzyrea nothing you can do from the web interface? 01:01 dcook wizzyrea: Agreed 01:01 * dcook is glad this happened the day before we leave for holiday rather than "on" holiday 01:01 wizzyrea that seems... unnecessaryl 01:01 dcook Fortunately this is a tablet and not a phone. A phone would be much worse. 01:01 dcook Yeppers 01:01 wizzyrea errrrr really? 01:00 dcook [off] Of course, my partner doesn't listen to me about the need to backup regularly :P 01:00 dcook Ideally, you've backed up your device recently, so it shouldn't matter too much. 01:00 dcook So it turns out 6 or so password tries and your Apple device is totally bricked until you reset the device to factory settings 00:51 huginn wizzyrea: The operation succeeded. 00:51 wizzyrea @later tell oleonard in the process of looking for something else, I found this little gem of a conversation http://irc.koha-community.org/koha/2013-10-03#i_1397312 00:48 dcook I guess it's secure but yikes 00:48 dcook Bloody hell, Apple... 00:41 dcook It's basically just me singing "multitasking" over and over again 00:41 * dcook sings a song he just invented about multitasking 00:40 dcook totes 00:39 wizzyrea hm yeah git installs on the public internet are kind of scary 00:35 tcohen :_D 00:29 dcook And last minute prep 00:29 dcook Still have a full day of work left ahead of me 00:29 dcook Ah, I don't leave for another... 11 hours :) 00:29 tcohen dcook: go to greece, leave the IRC 00:29 * dcook now seeks to unlock his wife's disabled ipad 00:28 * tcohen is glad to hear 00:28 dcook All has been made clear :D 00:28 dcook I see now about the .htaccess as well 00:28 dcook Mmm, I gotcha now 00:28 tcohen sorry for the confussion 00:27 tcohen and you notice the problem more clearly 00:27 tcohen ^^^^ that was the one 00:27 tcohen curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked' http://koha-dev.biblioadmin/cgi-bin/koha/misc/bin/sip_run.sh 00:27 tcohen dcook: sorry, wrong line 00:26 dcook tcohen: So the git install calls a shell script on the main page? 00:26 dcook Mmm food 00:25 rangi bbiab 00:24 rangi yep :) 00:24 eythian rangi: time for steak? 00:23 eythian e.g. a buffer overflow in argument processing. 00:23 rangi the only danger afaict that is koha specific is if you are running on a git install 00:23 eythian yes, though I still prefer to whitelist, as there could be other bugs. 00:22 eythian you have to be mega careful when calling a shell anyway, because shell injection is a thing that's been around forever. 00:22 tcohen so we are safe even if we pass user-provided stuff 00:22 tcohen ah 00:22 eythian no shell in there, unless you do it yourself. 00:21 tcohen a 'system' call is an attack vector 00:21 eythian exec calls execvp(3) which loads the new code over the top of current process 00:20 eythian waits for the child process to exit." 00:20 eythian "Does exactly the same thing as "exec LIST", except that a fork is done first and the parent process 00:20 eythian nope 00:20 dcook I thought commands like "system" and such generally used a subshell 00:19 eythian even then, we're probably not launching a shell from within it. 00:19 dcook Although I think it was suggested at one point :p 00:19 dcook True true 00:18 eythian you never run that from apache 00:18 dcook I think the only time we do is for rebuild_zebra.pl? 00:18 eythian which isn't something we do in koha so far as I could tell with a quick scan. 00:18 dcook eythian: Unless it's shelling out for whatever reason 00:18 eythian and if there's no bash in the pipeline, nothing is going to happen 00:18 rangi where some of the .sh files are accessible 00:18 dcook Right 00:17 eythian perl doesn't care 00:17 eythian dcook: yes, but it's bash that takes those variables and causes problems with them 00:17 rangi dcook: you have to hit the right url, eg one a dev install 00:17 tcohen it will only happen if you point to a .sh file in CGI-mode 00:17 dcook Isn't Apache setting environmental variables though? 00:17 eythian it usually calls perl, and perl doesn't have the issue. 00:17 eythian well, koha doesn't run a shell, in most cases. 00:17 eythian if it didn't, everything would break. 00:17 dcook But it didn't 00:16 dcook eythian: And the Koha server would execute the code via the bash vulnerability 00:16 eythian ah, it will, in general 00:16 dcook eythian: I figured the proxy would pass the string as is to the Koha server 00:16 tcohen this baby would run a remote shell using a pipe on /tmp http://pastebin.com/dEYQndKG 00:16 dcook eythian: At least I don't think that's what I meant :p 00:16 dcook eythian: That's not what I meant 00:16 eythian dcook: it won't be shelling to anything to proxy a request. 00:16 dcook eythian: How do you mean? 00:16 dcook rangi: Yeah, I was thinking about being a bit more thorough in checking the logs 00:15 rangi you can see if you look in the access logs 00:15 eythian dcook: that's not how it works 00:15 dcook It must be stripping them all 00:15 dcook rangi: I expected the proxied server to execute the bash but it didn't :/ 00:15 rangi unless the proxy is stripping all headers and user agents, from the request it passes to the webserver, theres still a way in 00:15 dcook tcohen: ? 00:14 tcohen then you can inject whatever 00:14 tcohen dcook: if you can run touch /tmp 00:14 dcook It didn't though 00:14 dcook And if it does something to the strings it passes to the backend server that does have bash... then nada 00:14 rangi *nod* but whatever it passes through to will :) 00:14 dcook rangi: I just mean that the proxy isn't going to execute any code. 00:13 dcook Although it would still be able to touch tmp 00:13 dcook Mmm, we do have a more locked down vhost than the standard Koha install as well.. 00:13 rangi doesnt matter if the proxy has bash or not 00:13 tcohen we could push a .htaccess 00:13 rangi to stop the dirs that shouldnt be accessible being accessible :) 00:13 dcook The proxy doesn't have bash, but yeah still patched bash anyway 00:13 rangi id patch bash and put .htaccess in 00:13 rangi i wouldnt be sure a proxy is safer 00:12 tcohen exactly 00:12 rangi but yeah 00:12 dcook ^ 00:12 eythian you can use almost any header 00:12 tcohen bad guys 00:12 tcohen ah 00:12 rangi if they did that, it would 00:12 dcook I tried a few other headers as well 00:12 tcohen (i don't think they mangle the UA) 00:12 rangi some proxies strip user agent 00:12 tcohen i don't think a proxy would prevent it 00:12 dcook Yeah, I did that as well 00:11 tcohen ^^^ ^^ that's what I did 00:11 tcohen curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked' http://koha-dev.biblioadmin/ 00:11 dcook Yeah, I tried to exploit the vulnerability but we have proxies in front and they're not using bash. 00:11 rangi hopefully those who do dev installs, are patching :) 00:10 rangi plus im sure they are upgrading 00:10 tcohen some people deploy with dev installs 00:10 dcook Sweet 00:10 rangi theyve been switching to packages 00:10 dcook But I think Bywater exclusively use git installs.. 00:10 dcook I don't think I have any git installs open to the internet 00:09 rangi quick fix is an .htaccess 00:09 tcohen however it is written :-P 00:09 tcohen gityfied setups vulnerable 00:09 tcohen just the bash one 00:09 dcook or is this a Koha specific one? 00:09 dcook tcohen: The bash one? 00:07 tcohen ok, managed to exploit vulnerability on git installs 00:07 bgkriegel__ tcohen: yes, they appear 00:06 cait good night all :) 00:00 tcohen it isn't on the stable branch, so nevermind :-D 00:00 huginn 04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11672 normal, P5 - low, ---, tomascohen, Pushed to Master , Untranslatable report areas in step 1 of Guided Reports 00:00 tcohen bug 11672