To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20
Look at the Profile dropdown list.
To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.
Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.
This vulnerability has been reported by MDSec.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://bugs.koha-community.org/show_bug.cgi?id=9987
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Since we switched to Template Toolkit we don't need to stick with the
sufix we used for HTML::Template::Pro.
This patch changes the occurences of '.tmpl' in favour of '.tt'.
To test:
- Apply the patch
- Install koha, and verify that every page can be accesed
Regards
To+
P.S. a followup will remove the glue code.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch touches a lot of code, but basically it removes version
information from use C4::* in our code.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
All script still compiles after the patch (confirmed by pre-applypatch hook)
This patch adds a 'No Profile/N/A' selection to the printer profile
drop-down menu along with code to handle the selection of it. This
selection is the default selection for new templates.
Documentation should be updated to reflect this change.
Signed-off-by: Liz Rea <lrea@nekls.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This is due to the underlying script not having any defaults hard coded which results
in skewed hash elements when the parameter array is coerced into a hash at a later point.
This also occurs in layouts and profiles. This patch adds defaults to all three.
No documentation changes are necessary.
This fixes:
* A bug which caused the label template editor to throw
an error when saving when no previous profile was applied.
* A typo which caused a 'fetch without execute' error in Labels.pm
It also comments out several useless warns
Two issues here:
1. No radio box was selected by default in the format section of the layout editor. This actually needs some additional attention to allow the user
to establish a default method of entering the format string. As noted in comments in the code, this would probably be best implimented by adding yet
another syspref. However, I don't have time atm.
2. On saving a new template, if no profile was assigned to the new template, the script threw an error and died.
Both issues are addressed in this patch.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
As discussed with Chris Nighswonger on #koha, this patch
removes the calls to syslog and replaces them with warns
so that error messages generated by the labels code
are sent to the Apache error log. This avoids splitting
this sort of logging across multiple files and is consistent
with current practice in most of the rest of Koha.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
HTML::Template is no more used, some were remaining,
fixing the "use ...;" to H::T::Pro only
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
the 3 parameters :
intranetcolorstylesheet => C4::Context->preference("intranetcolorstylesheet"),
intranetstylesheet => C4::Context->preference("intranetstylesheet"),
IntranetNav => C4::Context->preference("IntranetNav"),
are filled by Auth.pm automatically, removing them in templates
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
