Before this fix, any search with double-quotes would return an error
500.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This prompts NFC normalization on adding record
Therefore, any saved record will be NFC normalized
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fix so that modifying an authority record is not logged
as both an ADD and a MODIFY.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Ensures the multiple search does not throw a 500 error but
allows a single search to be used as well
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Update 005 date/time when saving authority record for MARC21 and UNIMARC.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This does not seem to occur on all platforms - C4::Search
exports SimpleSearch() by default - but adding the 'C4::Search::'
qualifier certainly doesn't hurt things.
Patch by Fridolyn Somers <fridolyn.somers@gmail.com>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The current code in AuthoritiesMarc.pm rewrites all subfields from the report
tag in the authority record to fields in related bibliographic records when
merging authorities. Additional subfields in the biblio records (e.g. relator
code or term) are lost in the process.
This patch retains the original algorithm but restores the additional subfields
from the original biblio record when rewriting the linked marc fields.
The problem also exists in 3.0. Two separate patches have been submitted.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
If these are acceptable I'll continue - target is to get rid of all warnings
and errors with podcheck and make sure that any man and html formatted pod
docs look 'OK'
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Fixed obvious warnings generators in scripts
with mismatched comparisons or undefined variables
removed temporary variable selected while ensuring the
comparison it represented was between two defined variables
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Adding some new options to bulkmarcimport :
-k idtagsubfield in order to store the id of the file record into another field
-match tagsubfield,index
-a to import authorities
-l logfilename to store logs
Bug Fixing : C4/Charset.pm
Charset was incorrect for UNIMARC Authorities
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Adds some rewriting
bug fix for merging
AddAuthority had some problem with updating existing data.
ModAuthority adds a new Syspref called MergeAuthoritiesOnUpdate which is used to launch or disable biblios update when updating an authority
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
MARC::File::USMARC::decode is not aware of encoding as MARC::File::XML is
So it caused a problem when decoding information and updating biblios.
Now uses MARC::File::XML
Encoding is OK
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
this is a work-around fix, until a future patch arrives to define the missing 'Heading-Main' zebra-index.
for 3.0.x
[RM note: also included in HEAD so that I can include the UNIMARC(A)
updates by HDL]
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Adding Heading-Main as new index code in order to search only on Heading-main when $a selected.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
It turns out that the "blank" record created by MARC::Record->new()
has a leader, so now I explicitly create one in addbiblio.pl. I
also realized I can't count. :-)
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This patch makes sure that MARC21 authorities have a minimal
Leader, 008, and 040. If an authority record is created through
BiblioAddsAuthority it generates a 670 based on information in
the bib record.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
replace_with maight have unexpected behaviour.
Has to test merge_authority.pl
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
merge works on the fly now.
But for an obscure reason, merge_authority.pl fails to update database when lanched on command line.
Adding one table to LOCK for noZebra UPDATE in Biblio.pm
You should remove C4::Search from merg_authority.pl
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Improved C4::AuthoritiesMarc::GetAuthType() so that
it returns either a hashref (if the authority type exists)
or undef (if it does not exist). The same
accessor should not be used to either return a single
value or all values of a settings list. Note that
all existing clients of GetAuthType are expecting
either a single hashref or undef; none of them
expected the arrayref that could be returned by
the previous version of the accessor.
When BiblioAddsAuthorities is ON, addbiblio.pl
now checks the return value of GetAuthType and
no longer crashes as follows if the MARC framework
specifies an invalid authority type for a given subfield:
Can't coerce array into hash at .../cataloging/addbiblio.pl line 738.
No documentation changes.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Because NoZebra indexing requires having both
the old and new versions of a record when processing
an updated, I adjusted the ModZebra sub to require
that the old version be explicitly passed to it.
That way, the zebraqueue row (for Zebra mode) can
now be added *after* the biblio and biblioitems
updates have been completed.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Added invocations of StripNonXmlChars to uses
of new_from_xml() that involve records
saved to Koha fields via MARC::Record->as_xml();
for batch jobs that work on MARC XML files
coming from external sources, StripNonXmlChars
should not necessarily be used, as it may
be better to reject a file or record if it
contains that kind of encoding error.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
* Defined local field 942$a to store the authority type
for MARC21 instead of 152$b
* Added 942$b to MARC21 authority framework.
* Added auth_header.authid and auth_header.authtypecode
to appropriate subfields in MARC21 authority framework.
* Started work on two new modules:
C4::AuthoritiesMarc::MARC21
C4::AuthoritiesMarc::UNIMARC
These modules will be used to extract MARC-format-specific
behavior out of C4::AuthoritiesMarc
* Updated Zebra config for MARC21 to use only the 942$a
for the authority type.
* For MARC21, added logic to move 152$b to 942$a for
existing authority records. Specifically, AddAuthority
now does this move when a record is saved, while
GetAuthority and GetAuthorityXML do this when
extracting a record for other use. This logic
is temporary, and can hopefully be removed later, once
use of 152$b in MARC21 authorities is confirmed to be
absent for Koha users. I will also create a batch
job to do this update in one fell swoop.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
This commit is a partial fix to authority control for MARC21,
and better authority handling in general (for UNIMARC too).
Before this patch, authority searching, editing, saving, was
not functioning, or was extremely buggy.
WARNING: You will need to re-index your authority database after
applying this commit.
The following changes have been made:
* Normalizing record.abs index names (in both MARC21 and UNIMARC)
* Synching authorities/bib1.att, ccl.properties, AuthoritiesMarc.pm
with new indexes (UNIMARC too)
* Clean up biblios/bib1.att (remove duplicate att defs)
* Clean up authorities-* templates to conform to new styles
* Fixed search failure when using Default framework (now searches
All)
Also included are several fixes to the built-in SRU server for
Authority and Biblio, it's recommended that you update your
koha-conf.xml file:
* adding explain-authorities.xml and explain-biblios.xml
* adding necessary info to koha-conf.xml to enable SRU/W
* adding several example XSLT stylesheets, that can be used
for SRU on-the-fly transformations (to MODS, DC, RDF, etc.)
Still remaining for 3.0 are the following tasks:
* update MARC21 frameworks (authority and cross-reference bib)
* update display code/templates in authority results list
* update search code/templates to utilize index points
* implement 'grouping' of authtypes for searching (Name, Title, Subject)
* repair utility to import auths and perform matching
* repair bibliographic import to match auths and warn if no match
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
the reported tag contains all subfields to report from the authority into the biblio.
NOTE : It is a feature usefull only for OpenCataloger, but OpenCataloger needs it.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
finalresult contained the whole list and not only the useful results.
resultlist contained only 19 elements. adding one
parameters passed through pages contained also empty parameters deleting them.
Conflicts:
C4/AuthoritiesMarc.pm
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
* improve generation of summaries for MARC21 authorities
* fix search syntax for link to display bibs linked to a given authority
* in addbiblio.pl's BiblioAddAuthorities, check all headings, not just the first of each tag
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
+ add 100 field support if needed
+ add 152 (authtypecode) if needed
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
With the YUI tabs, the SINGLETAB feature (that hides tabs when there is only 1) was bugguy
This commit fixes the problem, and solve some other ones :
- order the fields
- resize the input size (see previous commit in addbiblio.pl)
- remove some unused code
- reindent
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
- support for authorities
- some bugfixes in ordering and "CCL" parsing
- support for authorities <=> biblios walking
Seems I can do what I want now, so I consider its done, except for bugfixes that will be needed i m sure !
All subs have be cleaned :
- removed useless
- merged some
- reordering Biblio.pm completly
- using only naming conventions
Seems to have broken nothing, but it still has to be heavily tested.
Note that Biblio.pm is now much more efficient than previously & probably more reliable as well.
== Biblio.pm cleaning (useless) ==
* some sub declaration dropped
* removed modbiblio sub
* removed moditem sub
* removed newitems. It was used only in finishrecieve. Replaced by a Koha2Marc+AddItem, that is better.
* removed MARCkoha2marcItem
* removed MARCdelsubfield declaration
* removed MARCkoha2marcBiblio
== Biblio.pm cleaning (naming conventions) ==
* MARCgettagslib renamed to GetMarcStructure
* MARCgetitems renamed to GetMarcItem
* MARCfind_frameworkcode renamed to GetFrameworkCode
* MARCmarc2koha renamed to TransformMarcToKoha
* MARChtml2marc renamed to TransformHtmlToMarc
* MARChtml2xml renamed to TranformeHtmlToXml
* zebraop renamed to ModZebra
== MARC=OFF ==
* removing MARC=OFF related scripts (in cataloguing directory)
* removed checkitems (function related to MARC=off feature, that is completly broken in head. If someone want to reintroduce it, hard work coming...)
* removed getitemsbybiblioitem (used only by MARC=OFF scripts, that is removed as well)
cvs -z3 -d:ext:kados@cvs.savannah.nongnu.org:/sources/koha co -P koha
find koha.precrash -type d -name "CVS" -exec rm -v {} \;
cp -r koha.precrash/* koha/
cd koha/
cvs commit
This should in theory put us right back where we were before the crash
Authority tables are modified to be compatible with new MARC frameworks. This change is part of Authority Linking & Zebra authorities. Requires change in Mysql database. It will break head unless all changes regarding this is implemented. This warning will take place on all commits regarding this
Seems not to break too many things, but i'm probably wrong here.
at least, new features/bugfixes from 2.2.5 are here (tested on some features on my head local copy)
- removing useless directories (koha-html and koha-plucene)
