Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 34349: Validate/escape inputs for task scheduler

Browse source 
This change validates and escapes inputs for task scheduler.

Test plan:
0. Apply patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/tools/scheduler.pl
3. Input a time a minute in the future and leave the date blank
4. Choose an existing report and output format
5. Type a malicious string which is also a valid email address
into the Email field
6. Click "Save"
7. Note that the job is added but the Email is wrapped in single
quotes
8. Try using a non-malicious email address with a single quote.
9. Note that the single quote is escaped, so that it will still
be used by runreport.pl

JD amended patch: tidy

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed pars for $email =~ regex, removed old commented lines.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit dcd698a4b4)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
This commit is contained in:
David Cook 2023-07-24 04:31:15 +00:00 committed by Matt Blenkinsop
parent 3059919c13
commit 9b68554979
1 changed files with 35 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
tools/scheduler.pl
View file

@ -25,6 +25,8 @@ use C4::Auth qw( get_template_and_user );
use CGI qw ( -utf8 ); use CGI qw ( -utf8 );
use C4::Output qw( output_html_with_http_headers ); use C4::Output qw( output_html_with_http_headers );
use Koha::DateUtils qw( dt_from_string );; use Koha::DateUtils qw( dt_from_string );;
use Koha::Reports;
use Koha::Email;
my $input = CGI->new; my $input = CGI->new;
my $base; my $base;
@ -60,23 +62,42 @@ if ( $mode eq 'job_add' ) {
$starttime =~ s/\://g; $starttime =~ s/\://g;
my $start = $startdate . $starttime; my $start = $startdate . $starttime;
my $report = $input->param('report'); my $report = $input->param('report');
if ($report) {
my $saved_report;
my $report_id = int($report);
if ($report_id) {
$saved_report = Koha::Reports->find($report_id);
}
if ( !$saved_report ) {
$report = undef;
}
}
my $format = $input->param('format'); my $format = $input->param('format');
my $email = $input->param('email'); if ($format) {
my $command = unless ( $format eq 'text' || $format eq 'csv' || $format eq 'html' ) {
"export KOHA_CONF=\"$CONFIG_NAME\"; " . $format = undef;
"$base/cronjobs/runreport.pl $report --format=$format --to=$email"; }
}
my $email = $input->param('email');
if ($email) {
my $is_valid = Koha::Email->is_valid($email);
if ( !$is_valid ) {
$email = undef;
}
}
if ( $report && $format && $email ) {
#FIXME commit ea899bc55933cd74e4665d70b1c48cab82cd1257 added recurring parameter (it is not in template) and call to add_cron_job (undefined) #NOTE: Escape any single quotes in email since we're wrapping it in single quotes in bash
# my $recurring = $input->param('recurring'); $email =~ s/'/'"'"'/g;
# if ($recurring) { my $command =
# my $frequency = $input->param('frequency'); "export KOHA_CONF=\"$CONFIG_NAME\"; "
# add_cron_job( $start, $command ); . "$base/cronjobs/runreport.pl $report --format=$format --to='$email'";
# }
# else {
# #here was the the unless ( add_at_job
# }
unless ( add_at_job( $start, $command ) ) { unless ( add_at_job( $start, $command ) ) {
$template->param( job_add_failed => 1 );
}
}
else {
$template->param( job_add_failed => 1 ); $template->param( job_add_failed => 1 );
} }
} }