Commit graph

11 commits

Author SHA1 Message Date
Julian Maurice
96cc447045 Bug 25898: Prohibit indirect object notation
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-10-15 12:56:30 +02:00
e96f39ab52 Bug 7550: [QA Follow-up] Resolve param warning from sco-patron-image
Resolve this warning:
  CGI::param called in list context from package C4::Service line 212, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.

It comes from the require_params call in sco-patron-image.pl.

Git grepping on require_params tells me this:
  members/default_messageprefs.pl:my ($categorycode) = C4::Service->require_params('categorycode');
  opac/sco/sco-patron-image.pl:my ($borrowernumber) = C4::Service->require_params('borrowernumber');
  opac/sco/sco-patron-image.pl:my ($csrf_token) = C4::Service->require_params('csrf_token');
  svc/cataloguing/metasearch:my ( $query_string, $servers ) = C4::Service->require_params( 'q', 'servers' );

The only candidate for multi_param seems to be 'servers', but as we can see
this variable is a scalar. Additional servers returned by require_params are
lost. This should be solved on its own report.
So, we can safely add scalar to the params call, resolve the warning and
keep the same behavior.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-05-08 09:00:26 -04:00
Jesse Weaver
ed0ff59152 Bug 11559: Supporting changes for Rancor
* Extends login screen to pass along #hash
  * Adds JSONP support to C4::Service
  * Extends humanmsg to allow per-message classes
  * Adds proper charset to results of svc/bib

Test plan:

  1. C4/Auth.pm and .../intranet/.../auth.tt: verify that login/usage
     works as expected, despite the change to pass on the fragment (...#blah)
     from the URL.
  2. C4/Service.pm and humanmsg.js: verify that editing system
     preferences (the main user of these modules) works correctly despite
     updates.
  3. svc/bib: verify that records can be correctly downloaded with the
     change of character set. This can be done in a Firebug/Chrome Devtools
     console by running `$.get('/cgi-bin/koha/svc/bib/1')` and inspecting the
     results (possibly replacing 1 with a different valid biblionumber).

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-27 12:16:05 -03:00
Jonathan Druart
a6c9bd0eb5 Bug 9978: Replace license header with the correct license (GPLv3+)
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

http://bugs.koha-community.org/show_bug.cgi?id=9987

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-20 09:59:38 -03:00
Jonathan Druart
e20270fec4 Bug 11944: use CGI( -utf8 ) everywhere
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-13 13:07:21 -03:00
Andrew Elwell
aa9b4d92cd POD Cleanups
Signed-off-by: Andrew Elwell <Andrew.Elwell@gmail.com>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-06-09 08:38:59 -04:00
Lars Wirzenius
7279f55b60 Fix FSF address in directory C4/
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-03-16 20:17:56 -04:00
Jesse Weaver
fdd82e8054 Add new system preferences editor
This new editor uses data files instead of descriptions stored in the
database. It also has improved search.
2009-09-06 23:02:47 -06:00
Jesse Weaver
3206d0fe3c Small documentation improvement for C4::Service
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-05-27 10:08:36 -05:00
Galen Charlton
53637c5e14 fix small POD error
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-05-14 07:34:12 -05:00
Pianohacker
b04f432857 New framework for AJAX services
This adds two new C4 modules, C4::Service and ::Output::JSONStream, and
makes important modifications to C4::Output. The first two are a basic
framework for JSON-based AJAX services and a simple JSON output wrapper,
respectively. C4::Output has been slightly refactored, with a new
function, output_with_http_headers, that supports different
content-types. output_html_with_http_headers still exists, and the three
pages affected by this change have been refactored to support it.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2009-05-14 07:29:18 -05:00