If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42
Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.
Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert
Note that the cardnumber var was not escaped neither, it's now.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The C4::Members::PutPatronImage inserted/updated the image of a patron.
This can be done easily with ->find->set->store or ->new->store
Test plan:
1/ Modify the image of a patron from the patron detail page
2/ Add an image to a new patron
3/ Use the "Upload patron images" tools (tools/picture-upload.pl) to add
or modify the image of a patron
4/ Use the "Upload patron images" tools (tools/picture-upload.pl) to add
or modify the image of several patrons, using a zip file.
Stress the script trying to get as many errors as possible (wrong
cardnumber, wrong mimetype, file does not exist, etc.)
With this patch, if the cardnumber does not exist, you will get a
specific error "Image not imported because this patron does not exist in
the database"
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Otherwise the label is red and a bit agressive :)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
The styling of the patron image upload form causes the text to be
smaller than it should be for the main body of a page. This patch
revises the form style and cleans up the markup a bit.
This patch also adds client-side validation of the form so that a file
upload is required, and a card number is required if an image file is
selected.
To test, apply the patch and go to Tools -> Upload patron images.
1. Confirm that the text in the form is the correct size.
2. With "Zip file" selected, confirm that submitting the form is blocked
and the file upload marked as required.
3. With "Image file" selected, confirm that submitting the form
with an empty card number field is blocked and the card number
field is marked as required.
4. Confirm that uploading zip files and single images still works
correctly.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch fixes some template structure problems and makes some
improvements:
- Correct grid structure so that page isn't narrower than it needs
to be.
- Move image upload messages out of message/error dialog and into
table so that lines are distinct and legible.
- Expand breadcrumbs specificity
- Capitalization corrections
To test: Upload patron images using both single images and zip files.
Test zip file upload with a file which contains valid and invalid
contents (non-existant patron numbers, invalid image files, etc). In all
cases image uploads should work correctly and errors should be legibly
displayed.
Signed-off-by: Marc Veron <veron@veron.ch>
With patch, error messages are displayed in a nice table.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Tested with zip and png files. Works great.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Text could not be correctly translated due to poor parsing of nested sentences in Pootle.
*Sentences de-nested to have whole sentence in each if /elsif branch
*Cleaned up <li></li> handling: moved closing </li> outside the for each loop to prevent orphaned closing </li>s.
*Changed indentation for better readibility
*Changed WARNING to ERROR because it is an *Error* during upload.
*Wording simplified (for translation).
*In one case added hint to refer to online help (size).
This way text should be easier to be translated in Pootle.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch also fixes some strings:
* itemcallnumber => item call number
* Profile marcfields=> Profile MARC fields