LP#1207281: require SSL when downloading offline patron list
This patch builds on the previous one by forcing use of
SSL for downloading the offline patron list. It also
updates the Apache 2.4 example configuration.
Signed-off-by: Galen Charlton <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Mike Rylander <email address hidden>
LP#1207281 Prevent download of offline patron list without authentication
This patch addresses the vulnerability which allowed a user with the proper
knowledge of the location of offline patron lists to download the file over
regular HTTP without any staff credentials.
This small addition to eg_vhost.conf.in will present users with a login prompt
when trying to access the /standalone/ subdirectory on an Evergreen server.
Users are able to download the patron list in the staff client as normal
because they already have obtained credentials during the normal staff client
authentication process.
Signed-off-by: Michael Peters <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Mike Rylander <email address hidden>
Fix an omission in the log redaction configuration.
open-ils.actor.patron.password_reset.commit was omitted in the
<log_protect> block of opensrf_core.xml.example. This commit adds
it and updates the release notes for 2.3 to include it.
There is also a release notes file informing users that they need to
edit opensrf_core.xml to address this issue.
Signed-off-by: Jason Stephenson <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Mike Rylander <email address hidden>