Bug 36875: Do not pass unsanitized language to $page->translated_content
Test plan:
Try to access opac-page.pl with a language not in OPACLanguages.
Verify that this 'language' was not passed to sql. Simplest perhaps
by debugging AdditionalContent.pm. Something like:
sub translated_content {
my ( $self, $lang ) = @_;
+warn "L137: $lang";
Now have a public additional_contents page and hit it:
/cgi-bin/koha/opac-page.pl?page_id=5&language=badsql
Check your log and find:
[2024/05/16 07:25:53] [WARN] L137: en at [etc] line 137.
So badsql was caught.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
parent
da7186ea3d
commit
4c3a6c3910
GPG key ID:
0EF6E2C03357A834
1 changed files with 2 additions and 2 deletions
|
|
@ -35,7 +35,6 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
|
|||
);
|
||||
|
||||
my $page_id = $query->param('page_id');
|
||||
my $lang = $query->param('language');
|
||||
|
||||
my $homebranch = $ENV{OPAC_BRANCH_DEFAULT};
|
||||
if (C4::Context->userenv) {
|
||||
|
|
@ -49,7 +48,8 @@ if ( !$page || $page->category ne 'pages' || $page->branchcode && $page->branchc
|
|||
exit;
|
||||
}
|
||||
|
||||
my $content = $page->translated_content( $lang || C4::Languages::getlanguage($query) );
|
||||
# Sanitize $query->param('language') via getlanguage
|
||||
my $content = $page->translated_content( C4::Languages::getlanguage($query) );
|
||||
|
||||
$template->param( page => $content );
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue