This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
With this patch, in biblio record data entry form, when ... is clicked for an
authority controlled field, it's possible to select which heading repetion to
copy if the authority has repeated headings.
When there is just one authority repetition, the first one is displayed to
choose, as previously.
This patch is REQUIRED by French libraries following SUDOC UNIMARC format, and
cataloguing multilingual materials ie all Higher Educational and Research
libraries.
Signed-off-by: Henri-Damien LAURENT <henridamien.laurent@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fix warnings for uninitialized authtypecode on lines 646, 653.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
More podchecker cleanups to eliminate warnings / errors
Signed-off-by: Andrew Elwell <Andrew.Elwell@gmail.com>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
working through the master branch to eliminate all
podchecker warnings/errors
Actual improvement to the quality of the POD will
come later (hopefully with assistance of others)
Signed-off-by: Andrew Elwell <Andrew.Elwell@gmail.com>
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This is the sibling to the fix for this bug for the bib
editor. However, note that this change won't have a
direct effect yet, as currently you can't specify a
default value for a field or subfield in the authority
MARC frameworks. See bug 4887.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Fixed obvious warnings generators in scripts
with mismatched comparisons or undefined variables
removed temporary variable selected while ensuring the
comparison it represented was between two defined variables
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
This patch, fix the unimarc 700-4 plugin, adding the plugin_parameters() function.
And add an eval, that permit to have error in plugin, but don't die the editor.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
This patch change the page to use GET instead of post, and use independants "input"
names for searched values. Else the args are not passed to the next page due to
rewrite rules.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Most Perl scripts (as opposed to modules) do
not need to require Exporter.
No user-visible or documentation changes.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
merge works on the fly now.
But for an obscure reason, merge_authority.pl fails to update database when lanched on command line.
Adding one table to LOCK for noZebra UPDATE in Biblio.pm
You should remove C4::Search from merg_authority.pl
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
A button to delete (non-mandatory) subfields and fields
is added to the bib and authority MARC editors. This button,
which displays as a hypen or minus sign after the plus sign
to clone a field, acts as follows:
[1] When deleting a whole MARC field, if at least
one other repeat of that field exists, deletes
the field from the editor page. If the field
to be deleted is the last instance of that tag,
the contents of the field are cleared, not removed.
This allows one to delete all 650 tags, then
add a new one without having to reload the
record in the editor.
[2] When deleting a subfield, if at least one other
repeat of that subfield and its tag occurs
*anywhere else in the record, not necessarily in the same tag*,
deletes the subfield.
Otherwise, if the subfield is the last occurrence
of that tag/subfield combination, clears the input
form instead.
Documentation note: new screenshots for MARC editor, plus
description of the '-' button.
Credit to MJ Ray for introducing the '-' button
and the UnCloneField JavaScript function.
Signed-off-by: Andrew Moore <andrew.moore@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Use textareas for the 6XX fields when editing MARC21
authority records - these fields, not the 5XX, contain
the lengthy notes.
Note that because of the previous patch, both text inputs
and textareas permit entry of up to 9999 characters.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
The maximum length allowed for input into a subfield in
the MARC editor has been increased to 9999 charaacters
(from 255), permitting data entry of a field that meets
the maximum MARC field limit of 9999 octets.
Also set the maximum length for the leader form input
to 24 characters and the length for the MARC21 008
to 40 characters.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Fix same as for 2205 - the orderby parameter is
currently required for authority searches.
Also set default results per page to 20 instead of
19.
No documentation changes.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
In any MARC record display in the OPAC or staff client
that displays the MARC tag numbers, the indicators are
now displayed as well, following the tag number. If an
indicator is a blank, it is displayed as '#'.
Add a function to C4::Koha, display_marc_indicators(), to
generate this display form of the indicators.
Refactoring note: the four scripts changed in this commit
have a lot of duplicate code that could be merged into
a MARC displayer class.
Documentation notes: screenshots of tagged MARC record
displays should be updated.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Instead of having one input field for both indicators
of a variable field, the bib and authority MARC editor
now has an input field for each indicator. This has
two main advantages:
* it is easier to tell what the indicator values are,
even when the first indicator is a space
* it is easier to set the first indicator to blank
and the second indicator to non-blank.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
The find_values() function in authorities/authorities.pl
and authorities/detail.pl is not used; appears to be copied
from additem.pl.
No documentation changes.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
The AddStatement op is an archaism from 2.2 that
has not been used in the templates for at least a
year.
No documentation changes.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
finalresult contained the whole list and not only the useful results.
resultlist contained only 19 elements. adding one
parameters passed through pages contained also empty parameters deleting them.
Conflicts:
C4/AuthoritiesMarc.pm
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
the 3 parameters :
intranetcolorstylesheet => C4::Context->preference("intranetcolorstylesheet"),
intranetstylesheet => C4::Context->preference("intranetstylesheet"),
IntranetNav => C4::Context->preference("IntranetNav"),
are filled by Auth.pm automatically, removing them in templates
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
With the YUI tabs, the SINGLETAB feature (that hides tabs when there is only 1) was bugguy
This commit fixes the problem, and solve some other ones :
- order the fields
- resize the input size (see previous commit in addbiblio.pl)
- remove some unused code
- reindent
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
