Before this fix, any search with double-quotes would return an error
500.
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This prompts NFC normalization on adding record
Therefore, any saved record will be NFC normalized
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fix so that modifying an authority record is not logged
as both an ADD and a MODIFY.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Ensures the multiple search does not throw a 500 error but
allows a single search to be used as well
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Update 005 date/time when saving authority record for MARC21 and UNIMARC.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This does not seem to occur on all platforms - C4::Search
exports SimpleSearch() by default - but adding the 'C4::Search::'
qualifier certainly doesn't hurt things.
Patch by Fridolyn Somers <fridolyn.somers@gmail.com>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
The current code in AuthoritiesMarc.pm rewrites all subfields from the report
tag in the authority record to fields in related bibliographic records when
merging authorities. Additional subfields in the biblio records (e.g. relator
code or term) are lost in the process.
This patch retains the original algorithm but restores the additional subfields
from the original biblio record when rewriting the linked marc fields.
The problem also exists in 3.0. Two separate patches have been submitted.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
If these are acceptable I'll continue - target is to get rid of all warnings
and errors with podcheck and make sure that any man and html formatted pod
docs look 'OK'
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Fixed obvious warnings generators in scripts
with mismatched comparisons or undefined variables
removed temporary variable selected while ensuring the
comparison it represented was between two defined variables
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Adding some new options to bulkmarcimport :
-k idtagsubfield in order to store the id of the file record into another field
-match tagsubfield,index
-a to import authorities
-l logfilename to store logs
Bug Fixing : C4/Charset.pm
Charset was incorrect for UNIMARC Authorities
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Adds some rewriting
bug fix for merging
AddAuthority had some problem with updating existing data.
ModAuthority adds a new Syspref called MergeAuthoritiesOnUpdate which is used to launch or disable biblios update when updating an authority
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
MARC::File::USMARC::decode is not aware of encoding as MARC::File::XML is
So it caused a problem when decoding information and updating biblios.
Now uses MARC::File::XML
Encoding is OK
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
this is a work-around fix, until a future patch arrives to define the missing 'Heading-Main' zebra-index.
for 3.0.x
[RM note: also included in HEAD so that I can include the UNIMARC(A)
updates by HDL]
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Adding Heading-Main as new index code in order to search only on Heading-main when $a selected.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
It turns out that the "blank" record created by MARC::Record->new()
has a leader, so now I explicitly create one in addbiblio.pl. I
also realized I can't count. :-)
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This patch makes sure that MARC21 authorities have a minimal
Leader, 008, and 040. If an authority record is created through
BiblioAddsAuthority it generates a 670 based on information in
the bib record.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
replace_with maight have unexpected behaviour.
Has to test merge_authority.pl
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
merge works on the fly now.
But for an obscure reason, merge_authority.pl fails to update database when lanched on command line.
Adding one table to LOCK for noZebra UPDATE in Biblio.pm
You should remove C4::Search from merg_authority.pl
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Improved C4::AuthoritiesMarc::GetAuthType() so that
it returns either a hashref (if the authority type exists)
or undef (if it does not exist). The same
accessor should not be used to either return a single
value or all values of a settings list. Note that
all existing clients of GetAuthType are expecting
either a single hashref or undef; none of them
expected the arrayref that could be returned by
the previous version of the accessor.
When BiblioAddsAuthorities is ON, addbiblio.pl
now checks the return value of GetAuthType and
no longer crashes as follows if the MARC framework
specifies an invalid authority type for a given subfield:
Can't coerce array into hash at .../cataloging/addbiblio.pl line 738.
No documentation changes.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Because NoZebra indexing requires having both
the old and new versions of a record when processing
an updated, I adjusted the ModZebra sub to require
that the old version be explicitly passed to it.
That way, the zebraqueue row (for Zebra mode) can
now be added *after* the biblio and biblioitems
updates have been completed.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Added invocations of StripNonXmlChars to uses
of new_from_xml() that involve records
saved to Koha fields via MARC::Record->as_xml();
for batch jobs that work on MARC XML files
coming from external sources, StripNonXmlChars
should not necessarily be used, as it may
be better to reject a file or record if it
contains that kind of encoding error.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
