Bug 31001: Fix "CGI::param called in list context" warning in basket.pl

CGI param basketno should be explicitly scalar,
or else error log gets flooded with this warning:

AH01215: CGI::param called in list context from
/home/vagrant/kohaclone/acqui/basket.pl line 175, this can lead to
vulnerabilities. See the warning in "Fetching the value or values of a
single named parameter" at /usr/share/perl5/CGI.pm line 412.

This patch fixes it by working with it in a scalar context.
The functionality still remains the same but warning doesn't flood
error log.

To reproduce:
1. Head over to the acquisitions page.
2. Pick existing vendor with email contact info or create a new one.
3. Create a new basket or use existing one, and if it doesn't have
any orders, add a new order to it.
4. Use the "E-mail order" button to send order.
5. Check the error log and find the upper mentioned warning.
(Note: if you're going to test this more than once, you might need
to restart your Plack in order for this warning to get added to your
log file again, reasons of that is that the authors of CGI.pm decided
to "warn only once")
6. Apply the patch.
7. Use the "E-mail order" button again, ensure that the same warning
doesn't get added to the log file again.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This commit is contained in:
Petro Vashchuk 2022-06-21 16:02:51 +03:00 committed by Tomas Cohen Arazi
parent 6c55159eb6
commit 096fd4acfa
Signed by: tomascohen
GPG key ID: 0A272EA1B2F3C15F

View file

@ -172,7 +172,7 @@ if ( $op eq 'delete_confirm' ) {
exit;
} elsif ($op eq 'email') {
my $err = eval {
SendAlerts( 'orderacquisition', $query->param('basketno'), 'ACQORDER' );
SendAlerts( 'orderacquisition', scalar $query->param('basketno'), 'ACQORDER' );
};
if ( $@ ) {
push @messages, { type => 'error', code => $@ };