runreport.pl and prep work on Guided.pm

The old location of runreport.pl was under tools, leaving it exposed
to web requests.  This is a security flaw since it does NOT check any
Auth and allows the user to request any Saved Report be run.  This is
not a problem under misc/crontab/ and it suggests the more appropriate use.

Guided.pm is not fixed here (see bug 3066), but it is prepared to be fixed
and made compatible with runreport as detailed in the perldoc.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This commit is contained in:
Joe Atzberger 2009-03-27 10:34:33 -05:00 committed by Galen Charlton
parent 104de0640b
commit 1caa108ef0
2 changed files with 169 additions and 4 deletions

View file

@ -18,11 +18,13 @@ package C4::Reports::Guided;
# Suite 330, Boston, MA 02111-1307 USA
use strict;
# use warnings; # FIXME: this module needs a lot of repair to run clean under warnings
use CGI;
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
use C4::Context;
use C4::Output;
use C4::Dates;
use XML::Simple;
use XML::Dumper;
use C4::Debug;
@ -354,9 +356,14 @@ sub get_criteria {
=cut
# FIXME: This needs to be generalized to reports in general
# FIXME: This should NOT have ANY formatting responsibilities.
# Instead, is should just be returning a prepared sth.
# FIXME: $type is a TOTALLY UNUSED "required" argument?
sub execute_query ($$$$;$$) {
my ( $sql, $type, $offset, $limit, $format, $id ) = @_;
$format or $format = '';
$debug and print STDERR "execute_query($sql, $type, $offset, $limit, $format, $id)\n";
my @params;
my $total = 0;
my ($useroffset, $userlimit);
@ -424,12 +431,15 @@ sub execute_query ($$$$;$$) {
while ( my @data = $sth->fetchrow_array() ) {
# if the field is a date field, it needs formatting
foreach my $data (@data) {
unless (defined $data) {
$data = ''; # suppress undef, so fields are joinable
next;
}
next unless $data =~ C4::Dates->regexp("iso");
my $date = C4::Dates->new($data, "iso");
$data = $date->output();
$data = C4::Dates->new($data, "iso")->output();
}
# tabular
my %temphash;
my %temphash; # FIXME: already declared %temphash in same scope.
my $row = join( '</td><td>', @data );
$row = "<tr><td>$row</td></tr>";
$temphash{'row'} = $row;
@ -445,7 +455,7 @@ sub execute_query ($$$$;$$) {
$string .="\n" . $row;
}
elsif ($format eq 'url'){
my $temphash;
my $temphash; # FIXME: already declared %temphash in same scope. TWICE!!
@$temphash{@$colnames}=@data;
push @xmlarray,$temphash;
}

155
misc/cronjobs/runreport.pl Executable file
View file

@ -0,0 +1,155 @@
#!/usr/bin/perl -w
#
# Copyright 2008 Liblime
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# Koha; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
# Suite 330, Boston, MA 02111-1307 USA
use strict;
use warnings;
use C4::Reports::Guided; # 0.12
use C4::Context;
use Getopt::Long qw(:config auto_help auto_version);
use Pod::Usage;
use Mail::Sendmail;
use Text::CSV_XS;
use vars qw($VERSION);
BEGIN {
# find Koha's Perl modules
# test carefully before changing this
use FindBin;
eval { require "$FindBin::Bin/../kohalib.pl" };
$VERSION = 0.21;
}
=head1 NAME
runreport.pl - Run a pre-existing saved report.
=head1 SYNOPSIS
runreport.pl [ -v ]
Options:
-h --help brief help message
-m --man full documentation, same as --help --verbose
-v --verbose verbose output
=head1 OPTIONS
=over 8
=item B<-help>
Print a brief help message and exits.
=item B<-man>
Prints the manual page and exits.
=item B<-v>
Verbose. Without this flag set, only fatal errors are reported.
=back
=head1 DESCRIPTION
This script is designed to run an existing Saved Report.
=head1 USAGE EXAMPLES
B<runreport.pl> 16
In the most basic form, runs the report specified by ID number from
saved_sql.id, in this case #16, outputting the results to STDOUT.
=head1 SEE ALSO
Reports - Guided Reports
=cut
# These variables can be set by command line options,
# initially set to default values.
my $help = 0;
my $man = 0;
my $verbose = 0;
my $format = "";
my $to = C4::Context->preference('KohaAdminEmailAddress');
my $from = C4::Context->preference('KohaAdminEmailAddress');
my $subject = 'Koha Saved Report';
GetOptions(
'help|?' => \$help,
'man' => \$man,
'verbose' => \$verbose,
'format' => \$format,
'to' => \$to,
'from' => \$from,
) or pod2usage(2);
pod2usage( -verbose => 2 ) if ($man);
pod2usage( -verbose => 2 ) if ($help and $verbose);
pod2usage(1) if $help;
unless ($format) {
$verbose and print STDERR "No format specified, assuming 'text'\n";
$format = '';
# $format = 'text';
}
unless (scalar(@ARGV)) {
print STDERR "ERROR: No reports specified\n";
pod2usage(1);
}
print scalar(@ARGV), " argument(s) after options: " . join(" ", @ARGV) . "\n";
my $email;
foreach my $report (@ARGV) {
my ($sql, $type) = get_saved_report($report);
unless ($sql) {
warn "ERROR: No saved report $report found";
next;
}
$verbose and print "SQL: $sql\n\n";
# my $results = execute_query($sql, undef, 0, 99999, $format, $report);
my ($results) = execute_query($sql, undef, 0, 20, , );
# execute_query(sql, , 0, 20, , )
my $count = scalar(@$results);
unless ($count) {
print "NO OUTPUT: 0 results from execute_query\n";
next;
}
$verbose and print "$count results from execute_query\n";
my $message = "<table>\n" . join("\n", map {$_->{row}} @$results) . "\n</table>\n";
if ($email){
my %mail = (
To => $to,
From => $from,
Subject => $subject,
Message => $message
);
sendmail(%mail) or warn "mail not sent";
} else {
print $message;
}
}