Bug 37464: Validate "type" sent to barcode/svc
This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 73b0c3cf621250008845f22f7a36f90a48e00b06)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
parent
751e72dfda
commit
623e1c5912
GPG key ID:
0EF6E2C03357A834
1 changed files with 22 additions and 1 deletions
23
svc/barcode
23
svc/barcode
|
|
@ -89,6 +89,21 @@ below the scannable barcode.
|
||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
|
||||||
|
my %type_mapping = (
|
||||||
|
Code39 => 1,
|
||||||
|
UPCE => 1,
|
||||||
|
UPCA => 1,
|
||||||
|
QRcode => 1,
|
||||||
|
NW7 => 1,
|
||||||
|
Matrix2of5 => 1,
|
||||||
|
ITF => 1,
|
||||||
|
Industrial2of5 => 1,
|
||||||
|
IATA2of5 => 1,
|
||||||
|
EAN8 => 1,
|
||||||
|
EAN13 => 1,
|
||||||
|
COOP2of5 => 1,
|
||||||
|
);
|
||||||
|
|
||||||
my $input = CGI->new;
|
my $input = CGI->new;
|
||||||
|
|
||||||
my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => '*' } );
|
my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => '*' } );
|
||||||
|
|
@ -99,13 +114,18 @@ if ( $auth_status ne "ok" ) {
|
||||||
|
|
||||||
binmode(STDOUT);
|
binmode(STDOUT);
|
||||||
|
|
||||||
my $type = $input->param('type') || 'Code39';
|
my $type = $input->param('type') || '';
|
||||||
my $barcode = $input->param('barcode');
|
my $barcode = $input->param('barcode');
|
||||||
my $notext = $input->param('notext') ? 1 : 0;
|
my $notext = $input->param('notext') ? 1 : 0;
|
||||||
my $height = $input->param('height') || 50;
|
my $height = $input->param('height') || 50;
|
||||||
my $qrcode_modulesize = $input->param('modulesize') || "5"; # 1+
|
my $qrcode_modulesize = $input->param('modulesize') || "5"; # 1+
|
||||||
my $image;
|
my $image;
|
||||||
|
|
||||||
|
# Validate the barcode type. Default to Code39 if no type or unsupported type sent.
|
||||||
|
if ( !$type_mapping{$type} ) {
|
||||||
|
$type = 'Code39';
|
||||||
|
}
|
||||||
|
|
||||||
if ( $type eq 'Code39' ) {
|
if ( $type eq 'Code39' ) {
|
||||||
$barcode = '*' . $barcode unless $barcode =~ /^\*/;
|
$barcode = '*' . $barcode unless $barcode =~ /^\*/;
|
||||||
$barcode = $barcode . '*' unless $barcode =~ /\*$/;
|
$barcode = $barcode . '*' unless $barcode =~ /\*$/;
|
||||||
|
|
@ -115,6 +135,7 @@ eval {
|
||||||
if( $type eq "QRcode" ){
|
if( $type eq "QRcode" ){
|
||||||
$image = GD::Barcode->new('QRcode', $barcode, { Ecc => "M", ModuleSize => $qrcode_modulesize } )->plot->png();
|
$image = GD::Barcode->new('QRcode', $barcode, { Ecc => "M", ModuleSize => $qrcode_modulesize } )->plot->png();
|
||||||
} else {
|
} else {
|
||||||
|
# BZ 37464 - $type must be validated as GD::Barcode unsafely passes this argument directly to an eval{} block
|
||||||
$image = GD::Barcode->new( $type, $barcode )->plot( NoText => $notext, Height => $height )->png();
|
$image = GD::Barcode->new( $type, $barcode )->plot( NoText => $notext, Height => $height )->png();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue