This patch adds CORS support to output_with_headers(). It will use the
AccessControlAllowOrigin syspref to pick the value and set the Access-Control-Allow-Origin header.
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/Output.t
SUCCESS: Tests pass!
3. Sign off :-D
Signed-off-by: Andrew Isherwood <andrew.isherwood@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
We absolutely need that for modules.
We are enabling strict by using Modern::Perl.
Note that other modules from C4 use strict and warnings, instead of
Modern::Perl
Test plan: git grep 2505 **/*.pm should not return any results
And let's see later what needs to be fixed.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To prevent additem.pl to crash when called with a nonexistent
biblionumber we are here implementing the blocking_error.inc trick to
display a friendly message instead.
Can't call method "fields" on an undefined value at
/home/vagrant/kohaclone/cataloguing/additem.pl line 736.
Test plan:
hit
/cataloguing/additem.pl?biblionumber=
/cataloguing/additem.pl?biblionumber=424242
You will get a friendly "Bibliographic record not found." message,
instead of a 500
Signed-off-by: Bin Wen <bin.wen@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This is a bad one as we thought we were XSS safe since bug 13618.
The html code generated in C4::Output::pagination_bar must escape the
variables and values correctly.
This patch needs to be widely tested, everywhere the pagination appears,
to make sure we will not introduce regressions.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Resolve:
FAIL C4/Output.pm
FAIL pod
*** ERROR: Apparent command =cut not preceded by blank line in file C4/Output.pm
FAIL pod coverage
POD is missing for output_and_exit
Test plan:
Run QA tools again.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
No test plan found ;)
But tested bookcount and request-article.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
When opac-details calls parametrized_url, it triggers an uninitialized
warning when you would have a record without e.g. author, like:
Use of uninitialized value in subroutine entry at /usr/share/perl5/URI/Escape.pm line 184.
This is (imo) actually a bug in URI::Escape; it should check its args.
But we resolve the warning here by adding the "// q{}" in parametrized_url.
NOTE: Along the way we do something similar in the arrParamsBusc loop.
If the variable is undefined, jump to the next one. (Consistent with the
approach in the if-part preceding it.)
Test plan:
[1] Run t/Output.t again. Should pass now.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
xt/author/podcorrectness.t
C4/Output.pm (310): Expected text after =item, not a bullet
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"
Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.
Changes in discharge.pl are mainly indentation changes.
With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
perl -p -i -e 's/^.*set the version for version checking.*\n//' **/*.pm
+ manual adjustements
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Mainly a
perl -p -i -e 's/^.*3.07.00.049.*\n//' **/*.pm
Then some adjustements
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
perl -p -i -e 's/^(use vars .*)\$VERSION\s?(.*)/$1$2/' **/*.pm
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
There are some places where frames are used, the greybox JS plugin for
instance.
We need either to allow them from Koha or replace this plugin.
The easier for now is to switch the value from DENY with SAMEORIGIN.
Test plan:
- modify a record in a batch (tools/batch_record_modification.pl)
- click on preview marc
=> With only the previous patch you will get a blank page.
=> With this patch apply, it will work as expected.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Web pages that can be embedded in frames are vulnerable to cross-frame
scripting attacks. Cross-frame scripting is a type of phishing attack
that involves instructions to an unsuspecting user to follow a specific
link to update confidential information in an online application.
Because the link leads to a legitimate page from the online application
that is embedded in a frame hosted by the attackers' server, the
attackers can capture all the information that the user enters.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan:
Create an order for an existing biblio, confirm that the pagination links work correctly.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Test plan: See Bugzilla.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://bugs.koha-community.org/show_bug.cgi?id=9987
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Bug 12844 removed the call to C4::Budgets::GetCurrency.
The use of this module can be completely removed from C4::Output.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
It makes sense and no runtime errors found.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Test plan:
git grep FormatData
should not return any result in pl and pm files.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
See the wiki page for the explanation.
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This subroutine is now useless.
Test plan:
git grep FormatNumber
should not return any result in pl and pm files.
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.
This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options. One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.
To test:
[1] Start a web-based self-check session and optionally perform
some transactions.
[2] Allow the session to time out (it may be helpful to set
SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button. You should not see the previous patron's
self-check session.
[4] Verify that prove -v t/Output.t passes.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Removing binmode, now encoding data in output_with_http_headers.
Replaced output_string by output_as_chars in XSLTParse4Display.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No errors.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
In current implementation (mostly commented out in this patch)
uses heuristic to guess which strings need decoding from utf-8
to binary representation and doesn't support utf-8 characters
in templates and has problems with utf-8 data from database.
With this changes, Koha perl code always uses utf-8 encoding
correctly. All incomming data from database is allready
correctly marked as utf-8, and decoding of utf8 is required
only from Zebra and XSLT transfers which don't set utf-8 flag
correctly.
For output, standard perl :encoding(utf8) handler is used
so it also removes various "wide character" warnings as side-effect.
Test scenario:
1. make sure that you have utf-8 characters in your biblio
records, patrons, categories etc.
2. try to search records on intranet and opac which contain
utf-8 characters
3. install language which has utf-8 characters, e.g. uk-UA
dpavlin@koha-dev:/srv/koha/misc/translator(bug_6554) $
PERL5LIB=/srv/koha/ perl translate install uk-UA
4. switch language to uk-UA and verify that templates
display correctly
5. test search and Z39.50 search and verify that caracters
are correct
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I followed the test plan, adding utf-8 characters to library names,
patron categories, titles, and authorized values. I tried the uk-UA
translation and everything looked good.
When performing Z39.50 searches for titles containing utf-8 characters I
got results which were still occasionally contaminated with dummy
characters [?] but I assume this is Z39.50's fault not the patch's.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Already signed, add mine.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
OPACSearchForTitleIn is a syspref used to add links as "more searches" in OPAC record detail page.
The links can contain vars depending on record values like title, ISBN, ...
Thoses values must be URL-escaped because they can contain special characters that will brake URL and/or HTML.
This patch add a method C4::Output::parametrized_url() that replaces vars in URL usign escape and UTF-8 encoding.
Test plan :
- Define in OPACSearchForTitleIn a link with all possible vars : TITLE, AUTHOR, ISBN, ISSN, CONTROLNUMBER, BIBLIONUMBER
- Edit a record to add special characters in title : ", &, ? ...
- Go to OPAC detail pages of this record
=> Check that URL is well encoded
=> Click on link to check the term is well encoded (diacritical characters, ...)
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Nice test plan, thanks!
Verified bug and fix - both look good.
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
"return" statement with explicit "undef" at line 128, column 74. See page 199 of PBP. (Severity: 5)
Subroutine prototypes used at line 270, column 1. See page 194 of PBP. (Severity: 5)
Subroutine prototypes used at line 308, column 1. See page 194 of PBP. (Severity: 5)
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
This patch does the following:
1) Enables fallback for includes between different themes and different
languages (with the exact same precedence as for .tt files)
2) Enable fallback for XSLT files between different themes and different
languages (again, same precedence)
3) Change the semantics of the TT [% themelang %] variable so that it always
refers to the preferred theme and language, rather than the fallback
theme/language. As a result, all themes must include all javascript,
css and image resources they use.
Note that these changes actually have no impact whatsoever on an
installation where the default (prog) themes are in use.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Adds new action export for basketgroup.
This action is available only if your basketgroup is closed.
This export generates a csv file with order informations.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested together with bug 5356.
patch applied to commit eb3dc448d2
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Turned on star ratings in the opac on details and results
Searched for titles - saw the stars
Clicked on a title
Clicked on the stars
Clicked on the stars to change my rating
Logged out
Tried to click on stars
Logged in as different user
Rated items that were rated already and saw average change
Changed preference to show only on detail and repeated tests
Changed preference to now show stars
All above tests passed. Signing off.
Rebased 3-19-12 by Ian Walls
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Jared's fix for Bug 3326 fixed this in the staff client, but not the OPAC; moving this one line fixes it
both places.
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
This can be replicated by indexing with -x
OPACXSLTResults must be set to "normally"
Reproduced original bug with rebuild-zebra.pl -x -b -w -r -v -v
Patch corrects the issue, does not change intranet behavior.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
On any page, NSB/NSE characters are replaced by space in Output.pm. It isn't a
good thing:
- It isn't necessary since Zebra indexer handle properly those characters as
delimiter.
- It isn't necessary for display since XSL file already do that.
- It isn't efficient since a regex is done on every whole page sent by Koha,
not only on biblio record part.
- It removes an information that librarian want to keep in their biblio
records: any record edited in Koha loose its NSB/NSE characters.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Removes deprecated calls to HTML::Template or HTML::Template::Pro from:
C4/Output.pm
catalogue/export.pl
reports/issues_by_borrower_category.plugin
reports/itemtypes.plugin
Only remaining calls are in misc/cronjobs/rss/rss.pl, misc/cronjobs/smsoverdues.pl,
and t/test_template.pl. These scripts still legitimately depend on H:T:P
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch solves the situation that news is in another language than
the Koha interface AND makes that themelanguage routine is always called
the same way in order to prevent mixed display.
It fixes also a bug related to language preselection based on web
browser prefered language.
September 9: Adjusted with input of Frederic Demians.
Septembre 10: Avoid circular dependency, as pointed by Chris Cormack.
Templates related functions are moved from C4::Output to C4::Templates
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
I am not very happy with this fix, but it does mean the template are
translatable and we don't get double encoding issues with them anymore
Please test
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
In certain circumstances, ampersands would not be displayed properly in the
Staff client search results. This patch fixes that by ensuring that all the
doubled ampersands that Zebra inserts in XML indexing mode are replaced by the
correct single ampersand entity.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>