Original patch submitted by dswhite42@yahoo.com
Reformatted to apply cleanly.
Changed alert message during check-in to message used
on borrower account checkout page.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Change to how subfield is derived had not been implemented in
opac-results-grouped causing ARRAY(hexnumber) to follow all titles
Replace template ref to scalar with an array
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Follow up patch. Improvement suggested by Belgian translators (Hans Supply).
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Enhancement for Acquisitions/ordering from external source.
Koha already checked for duplicates, but this patch warns the user. Offers the choice to use existing record, use new record or return without making an order.
The new template is added for this interaction with the user.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
POD was mistakenly telling that NFD was supposed to be the default
encoding. In fact, it is not, it is NFC.
So the variable $nfc to change to the not default encoding was misleading.
Renaming it into $nfd
(written by hdl)
Refactored by Chris Cormack
Signed-off-by: Davi <davi@gnu.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Disabling that part of the calendar JavaScript which hides
<select> form fields when the calendar is displayed. This is at
the expense of IE6.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
A change was made to MARCdetail.tmpl without making a corresponding
change to MARCdetail.pl. I've reworked the original change so that
both can work together.
0XX --> tab0XX
Apparently TMPL variables can't start with a number now?
MR: Recreated patch file to recover failure to apply.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The messaging prefs form was hardcoded to use 'transport-$transport_type', rather than
'transport_$transport_type'. The result was an uneditable messaging preferences form.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
- Removing option to show 50 items/show all from script and template
- Adding parser to exclude articles in title sort (en only, see Bug 5766)
- Setting default sort to 'date due descending' as it was previously
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Save button and duplicate confirmation redirects must respect
the edititems permission: Users without permission to edit items
should not be redirected to the edit items screen.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
- Adding title, subtitle, and author to output
- Reworking display of shelving location selection
Patch does not address the contents of 'overdue status' and 'notified by'
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Follow up on 5736: Same problem with 100 and 100a in authorities/record.abs
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Rename the phonetic name in about, just like an earlier patch did elsewhere.
Make the distinction between the two Dutch translations more clear.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This fix the members-home script to work with new letter search management, and delete not anymore used code/template
(written by Nahuel Angelinetti)
Signed-off-by: Henri-Damien LAURENT <henridamien.laurent@biblibre.com>
Changes the wording to approved/rejected to be consistent with other wording
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Input value attributes shouldn't have _() escaping.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Also correcting display of itemtype based on item-level_itype preference
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Lines like melm 999 should ALWAYS follow the lines for subfields 999a, 999b etc.
This is currently not the case for 410 411 490 611 710 785 and 800.
Found this since I could not find back the contents of 710$9 fields.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Adds corrected onclick response for expanding marc tags.
Removes some lines that did not work as promised.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
XSLT.pm add few syspref to MARCXML record send to be transformed by XSLT. If
one of those syspref doesn't exist, it generated a warning.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
If you entered low number and high number, you got only items that *exactly* matched either entry (if any).
If you enter only a low number, you got everying *lower* than that.
If you enter only a high number, you get everything *higher* than that.
This was a greater-than-less-than problem.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Modifying empty cart function to take a paramter: if true,
cart will be emptied without a prompt.
Removing unnecessary "javascript:" pseudo-protocol.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>