Bug 37464: Validate "type" sent to barcode/svc

This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.

Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 73b0c3cf621250008845f22f7a36f90a48e00b06)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
David Cook 2024-07-25 06:56:18 +00:00 committed by Katrin Fischer
parent 751e72dfda
commit 623e1c5912
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834

View file

@ -89,6 +89,21 @@ below the scannable barcode.
=cut
my %type_mapping = (
Code39 => 1,
UPCE => 1,
UPCA => 1,
QRcode => 1,
NW7 => 1,
Matrix2of5 => 1,
ITF => 1,
Industrial2of5 => 1,
IATA2of5 => 1,
EAN8 => 1,
EAN13 => 1,
COOP2of5 => 1,
);
my $input = CGI->new;
my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => '*' } );
@ -99,13 +114,18 @@ if ( $auth_status ne "ok" ) {
binmode(STDOUT);
my $type = $input->param('type') || 'Code39';
my $type = $input->param('type') || '';
my $barcode = $input->param('barcode');
my $notext = $input->param('notext') ? 1 : 0;
my $height = $input->param('height') || 50;
my $qrcode_modulesize = $input->param('modulesize') || "5"; # 1+
my $image;
# Validate the barcode type. Default to Code39 if no type or unsupported type sent.
if ( !$type_mapping{$type} ) {
$type = 'Code39';
}
if ( $type eq 'Code39' ) {
$barcode = '*' . $barcode unless $barcode =~ /^\*/;
$barcode = $barcode . '*' unless $barcode =~ /\*$/;
@ -115,6 +135,7 @@ eval {
if( $type eq "QRcode" ){
$image = GD::Barcode->new('QRcode', $barcode, { Ecc => "M", ModuleSize => $qrcode_modulesize } )->plot->png();
} else {
# BZ 37464 - $type must be validated as GD::Barcode unsafely passes this argument directly to an eval{} block
$image = GD::Barcode->new( $type, $barcode )->plot( NoText => $notext, Height => $height )->png();
}
};