Update 17.1-dev with 17.0-dev #2878
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prepare statements for output type in where clause of imaging browser, to prevent SQL injection attacks.
Update LORIS version to 17.0.4
Fixed bug where visits could not be created via the API, even with well-formed input.
The import scripts were adding data which was not in the datadictionary, such as the "Testdate" timestamp from instruments, and not providing an explicit ordering for scans. This resulted in unnecessary rebuilds when the data available to the user was semantically equivalent, but the encoded JSON was in a different order, or the timestamp was changed but no visible data was modified. This addresses both these issues.
$this->form->addRule("value", "Required", 'required'); sets the 'required fail' when the user submits a value of "0", because empty($value) is true for 0.
This updates the code to explicitly check for the empty string to detect no input, and avoids PHP's empty() function for validation.
Update get_file.php to use PHP's realpath to fully resolve file paths before doing validation. This resolves a security issue identified by @johnsaigle where attackers could escape the path in a way that evades the checks that are in place. (Thanks, @johnsaigle!)
Previous LORIS upgrade scripts may have resulted in a weak JWT preshared key being stored in the configuration tables, which was supposed to be a temporary, unused key which is replaced by a randomly generated password during the LORIS install process. This implements JWT key strength requirements in the API, and refuses to issue tokens for keys that aren't at least 20 characters long, and don't have the special character / number / letter requirements that are in place for user passwords. As a result, the not-so-temporary-afterall key is now blacklisted.
…#2872 This pull request adding e.examinerID into "group by" clause of the examiner module to fix the following error in MySQL 5.7: "Expression #2 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'dbname.e.examinerID' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by"
jstirling91
added
the
Meta
Fix bug where conflict resolver was using an old quickform style date-to-array conversion, instead of directly using the HTML5 date which is passed to LORIS.
|
@driusan please message me on slack once the two pull request are merged |
This restores the broken functionality merged in aces#2868. This fixes the access control issue while allowing valid files to download. See also: Redmine 12586.
…ID (aces#2891) Conflict Resolver displays the examinerID for conflicts in the Examiner field making it difficult / impossible for anyone doing conflict resolution to resolve this field. This modifies it to use the examiner's full name.
Prepare statements for output type in where clause of imaging browser, to prevent SQL injection attacks.
Fixed bug where visits could not be created via the API, even with well-formed input.
The import scripts were adding data which was not in the datadictionary, such as the "Testdate" timestamp from instruments, and not providing an explicit ordering for scans. This resulted in unnecessary rebuilds when the data available to the user was semantically equivalent, but the encoded JSON was in a different order, or the timestamp was changed but no visible data was modified. This addresses both these issues.
$this->form->addRule("value", "Required", 'required'); sets the 'required fail' when the user submits a value of "0", because empty($value) is true for 0.
This updates the code to explicitly check for the empty string to detect no input, and avoids PHP's empty() function for validation.
Update get_file.php to use PHP's realpath to fully resolve file paths before doing validation. This resolves a security issue identified by @johnsaigle where attackers could escape the path in a way that evades the checks that are in place. (Thanks, @johnsaigle!)
Previous LORIS upgrade scripts may have resulted in a weak JWT preshared key being stored in the configuration tables, which was supposed to be a temporary, unused key which is replaced by a randomly generated password during the LORIS install process. This implements JWT key strength requirements in the API, and refuses to issue tokens for keys that aren't at least 20 characters long, and don't have the special character / number / letter requirements that are in place for user passwords. As a result, the not-so-temporary-afterall key is now blacklisted.
Fix bug where conflict resolver was using an old quickform style date-to-array conversion, instead of directly using the HTML5 date which is passed to LORIS.
jstirling91
force-pushed
the
17.1-dev_merge
branch
from
6f74cf7
to
5190693
Compare
This was referenced Jul 26, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.