Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
After a couple comments regarding the default value I picked for the
new syspref, I've decided to set it 0, as libraries interested on the
fetarue will just enable it.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds logging for several holds actions. Specifically for:
- CREATE
- CANCEL
- DELETE
- RESUME
- SUSPEND
- MODIFY
To test:
- Enable the HoldsLog syspref
- Add a hold on a record/item
=> SUCCESS: The log view shows the CREATE action
- Click on the <Suspend> button
=> SUCCESS: The log view shows the SUSPEND action
- Click on the <Unsuspend> button
=> SUCCESS: The log view shows the RESUME action
- Click on the red cross, to delete the hold
=> SUCCESS: The log view shows the CANCEL action
Note: The DELETE action is logged when DelMember is called, with bug 16819 patches applied.
Sponsored-by: NEKLS
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
I also wonder about this going in defaulted on, but since the other logs are as well it seems ok to me.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch introduces a new syspref 'HoldsLog' which is to be used for controlling
holds actions logs.
Sponsored-by: NEKLS
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch introduces tests for the new 'interface' parameter for the
C4::Log::logaction and C4::Log::GetLogs functions.
In logaction, it falls back to C4::Context->interface if ommited.
To test:
- Run
$ prove t/db_dependent/Log.t
=> SUCCESS: Tests pass
- Sign off
Sponsored-by: NEKLS
Signed-off-by: Nicole C Engard <nengard@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Sponsored-by: NEKLS
Signed-off-by: Nicole C Engard <nengard@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch introduces the 'interface' filter to the log viewer.
To test:
- Apply the patch
- Open the log viewer
=> SUCCESS: As default, 'All' interfaces are chosen. OPAC, Intranet and SIP are presented
- Do a lot of log searches, verify that the interface column shows what is expected.
=> SUCCESS: The chosen 'interfaces' are kept when rendering results.
Sponsored-by: NEKLS
Signed-off-by: Nicole C Engard <nengard@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch changes the logaction API so it accepts a new 'interface' param.
Current code calling logaction is not changed, and this parameter can be ommited
in most contexts, and it will correctly fall-back to C4::Context->interface.
Unit tests are provided on a different patch.
GetLogs gets patched as well, so it can be required to filter by 'interface' param.
Sponsored-by: NEKLS
Signed-off-by: Nicole C Engard <nengard@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch introduces a new column for the action_logs table. It is
called 'interface' and it is intended to store the interface in which
the action was performed.
Sponsored-by: NEKLS
Signed-off-by: Nicole C Engard <nengard@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
No idea how to replicate this issue but we have been getting several reports
about the following error:
Software error:
Corrupted storable string (binary v2.9) at /usr/lib/perl/5.18/Storable.pm line
417, at /home/koha/kohaclone/cataloguing/additem.pl line 375.
TEST PLAN:
1. Add or modify an Item.
2. No observed changes.
?. We don't know what causes this but we know that add/modify Item occasionally
crashes due to failure of a cookie thawing.
This patch prevents the whole program from dying, because this error is not
critical enough to warrant dying.
Also there is no centralized mechanism in Koha for showing messages to the
user, so there is no easy and convenient way to warn the user that the:
'LastCreatedItem'-cookie or the systempreference 'PrefillItem' is
malfunctioning.
So we instead just warn to the server logs with the malfunctioning cookie in
hopes of nailing down what causes the issues.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch replaces the hardcoded protocol ("http") from the URI with
https since that is what Google defacto uses to serve JS resources
Prevents MIXED CONTENT failure, allowing GoogleIndicTransliteration
to function correctly when used in SSLized OPACs.
Test plan
---------
1/ Make sure your OPAC is being served both over HTTP and HTTPS
2/ Set GoogleIndicTransliteration syspref to "Show"
3/ Access the OPAC over http, Google transliteration element will
show up in masthead searchbox.
4/ Access the OPAC over https. The element will not show. Console
will show MIXED CONTENT error and failure of google loader.
5/ Apply patch. Repeat steps #3 and #4 again. Now in both cases
GoogleIndicTransliteration will work.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds a function to the koha-plack script so it checks for log file
existence and its permissions. This function is called from the start_plack function.
If some of this conditions are not fulfilled, it solves the situation by either
touching and/or changing the permissions accordingly for the instances' plack log files.
To test:
- Run (on kohadevbox):
$ cd kohaclone
$ debian/scripts/koha-plack --start kohadev
$ debian/scripts/koha-plack --stop kohadev
$ ls /var/log/koha/kohadev/plack*
- Verify ownership of the created files (they might belong to the root user)
- Apply the patch
- Run:
$ chown root:root /var/log/koha/kohadev/plack*
$ debian/scripts/koha-plack --start kohadev
$ ls /var/log/koha/kohadev/plack*
=> SUCCESS: Files belong to kohadev-koha:kohadev-koha
- Run:
$ debian/scripts/koha-plack --stop kohadev
$ rm /var/log/koha/kohadev/plack*
$ debian/scripts/koha-plack --start kohadev
$ ls /var/log/koha/kohadev/plack*
=> SUCCESS: Files are created and belong to kohadev-koha:kohadev-koha
- Sign off :-D
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch follows Galen's suggestion in comment #7.
TEST PLAN
---------
1) Back up your koha logs as desired.
2) add something to /var/log/koha/{instance name}/intranet-error.log
3) ps aux | grep zebra
4) logrotate -f /etc/logrotate.d/koha-common
5) ps aux | grep zebra
-- the zebrasrv and daemon process for zebra indexing
didn't restart.
6) apply this patch against /usr/sbin/koha-stop-zebra
7) sudo koha-start-zebra {instance name}
8) ps aux | grep zebra
-- the processes should have started up again.
9) add different junk to /var/log/koha/{instance name}/intranet-error.log
10) ps aux | grep zebra
11) logrotate -f /etc/logrotate.d/koha-common
12) ps aux | grep zebra
-- the process ids for the zebrasrv and daemon processes should
be different, but the number of processes is the same as before.
13) sign off, because its less ugly than comment #3
Sponsored-by: Tulong Aklatan
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Works as expected, no regressions found.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
ttf-dejavu was missing from the build dependencies.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
When edit or create a new vendor the two fields "email" and "website" don't test
if the data provided is right. When you add a direction like
"koha-community.org" without the protocol "https" the program redirect to an
404 error.
To reproduce the issue:
1-Go to Acquisition and create a new Vendor
2-Fill the field Website with koha-community.org
3-Use an email without at sing (@)
4-Notice that there is no error
5-Save
6-Go to the vendor created (/cgi-bin/koha/acqui/supplier.pl?booksellerid=1)
7-Click in Website: koha-community.org -> redirect to an 404 error
8-Notice the bad mailto:
To test:
-Apply patch
-Reproduce step 1 to 8 with the same vendor or create a new one
-Enter multiple wrong and valid urls
-Enter urls with and without protocols http, https, ftp
-Enter wrong and valid emails
NOTE: The classes used are taken from 'branches.tt'
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
no longer allows entering of improper website urls or incomplete email addresses.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The breadcrumb on the Acquisition's home page reads: Home > Acquisitions >
This tiny patch removes the trailing > (›)
Amended: Remove the link on 'Acquisitions' as well...
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In Staff client, the advanced serach form does not display the
translations of item types.
(Note: It is not necessary to have translations installed to verify
this bug.)
Prerequisites:
- Go to Home > Administration > Item types administration
- Edit e.g. item type "BK" (Book)
- Near "Description", click link "Translate into other languages
- If you have other languaes installed, add translatons for those
- If you have an Englis only installation, add a "translation" for
English, make sure that you can identify it while testing (I
used "BOOOOOOOOOOOOKS")
Verify:
- Go to Home › Advanced search
- Verify near "Limit to any of the following" that the description for
itemtype BK reads "Book" instead of "BOOOOOOOOOOOOKS"
Test:
- Apply patch
- Verify that the item type description now reads ""BOOOOOOOOOOOOKS"
- If you have a multi language installaton, verify that item types
you translated display as appropriate
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The patron category description is not passed to the template in
paycollect.pl
Note: The Categories TT plugin should be used here...
Test plan:
Go on paycollect.pl and confirm that the patron category description is
now displayed in the sidebar.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Brendon Ford <brendon.ford@manhattan.edu>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Returned items may have 3 kinds of notes, patron, item public, and item
non-public. However, the html markup for them does not allow us to
distinguish which type we are seeing. It would be good to add classes
for each of these note types.
Test Plan:
1) Check out an item to a patron
2) Add a patron note, a public item note, and a non-public item note
to the patron and item you used
3) Check in the item and instead the html, note the each note span
now has a class to distinguish which type of note is being displayed.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To verify:
- Log in to OPAC as a user who has fines or credits
- Go to page "your fines"
- Verify that values for "Fine amount", "Amount outstanding"
and "Total due" are not formatted as defined in syspref CurrencyFormat
(e.g. for FR)
To test:
- Apply patch
- Repeat steps above
- Verify that values are formatted as appropriate with different
settings for syspref CurrencyFormat
Note: This patch does not force text alignment to the right.
Text alignement can be done using syspref OPACUserCSS
(td.sum, td.credit, td.debit)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Format the values in patron search results following syspref CurrencyFormat.
To verify:
- Search for patrons who have fines or credits
- In result table, column 'Fines' does not respect syspref CurrencyFormat
(e.g. for FR)
To test:
- Apply patch
- Repeat steps above, verify that fines display as appropriate
- Change syspref Currencyformat, verify display
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Numeric comparison operator is used where string comparison required,
resulting in the following warning in the log: 'Argument "delete" isn't
numeric in numeric eq (==).'
This patch corrects it to use 'eq' not '==' to compare strings.
To test, apply the patch and go to Acquisitions -> EDIFACT messages.
Delete an EDIFACT message. There should be no error in the error log.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test
1/ Hit the page, notice the warning in the log
2/ Apply patch
3/ Hit page, notice no warning in the log
4/ Test functionality all still works
Works as expected. (Note: See Bug 16960 for updating patron details).
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
update and install translated language files
On the item list (cataloguing/additem.pl) the context menu should be
translated (Edit item/Delete item)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Indeed, it's not used!
Test plan:
git grep '\[% findborrower'
should not return any result.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 10318 added the email to the patron search results but it has been
removed later.
This patch reintroduced it where it was (no new column).
Test plan:
Search for patrons and confirm that the emails are displayed.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
- for a particular item type & patron category, configure a non-zero
"no renewal before" date so items can't be immediately renewed
- sign in as a patron in aforementioned patron category
- check out an item of aforementioned item type
- go to your renewals page in OPAC /cgi-bin/koha/opac-user.pl
- an error messages appears in the div.alert.dialog up top
Sponsored-by: California College of the Arts
Signed-off-by: Brendon Ford <brendon.ford@manhattan.edu>
Signed-off-by: Irma Birchall <irma@calyx.net.au>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If language is set by external link language switcher does not work
To reproduce:
- Have a multilingual koha installation, let's say en, de-CH, fr-FR and it-IT
- Create external links e.g. from your multilingual library website to each language variant of OPAC:
...cgi-bin/koha/opac-main.pl?language=en
...cgi-bin/koha/opac-main.pl?language=de-CH
...cgi-bin/koha/opac-main.pl?language=fr-FR
...cgi-bin/koha/opac-main.pl?language=it-IT
Each link opens fine displaying the language as appropriate.
Now try to switch language on the page you just opened via the external link.
It won't work, it will always stay on the language defined by the external link.
To test:
- Apply patch
- Repeat steps above
- Verify that the language switcher works
- Verify in browser address field that after switching language, the param 'language= 'has vanished from url string
- Try links with multiple params and with params containing 'language', e.g.
...cgi-bin/koha/opac-search.pl?language=fr-FR&q=language&mylanguage=test
- Verify that only the parameter 'language=' vanishes
Tested counter patch, works as well.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch fixes sentences splitting in file
koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
Fix is done with a new .inc file because the code is the same as in
koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt
To test:
- Carefully review code changes
- Test on a fresh install without example data (or save database
and test with empty tables 'branches' and 'categories')
- Go to Home > Patrons (members-home.pl)
- Verify that a warnings appears aubout missing libraries and patron
categories
- Try to add a new patron (memberentry.pl)
- Verify that the same messages are triggered
- Verify that messages disappear as appropriate as soon as a library and
a patron category are defined.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Note: Filed Bug 17093 for JS error on patron entry form.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
From Koha::DateUtils::output_pref:
$dt = eval { dt_from_string( $str ) } if $str;
carp "Invalid date '$str' passed to output_pref\n" if $@;
This second line is wrong: if $str does not exist, the first line is not evaluated and $@ could be filled with previous error.
To reproduce:
Then:
prove t/DateUtils.t
will display:
t/DateUtils.t .. 20/60 Use of uninitialized value $str in concatenation (.) or string at Koha/DateUtils.pm line 217.
Invalid date '' passed to output_pref
at t/DateUtils.t line 233.
t/DateUtils.t .. ok
All tests successful.
Files=1, Tests=60, 2 wallclock secs ( 0.02 usr 0.00 sys + 1.40 cusr 0.00 csys = 1.42 CPU)
Result: PASS
Test plan:
Without this patch, you should not see the carp
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If there was more than one search term you could see that that it
was url encoded. Also problems with search terms with umlauts and
other diacritics.
Patch should fix that.
https://bugs.koha-community.org/show_bug.cgi?id=17074
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The 'scan indexes' search that can be reached from the
advanced search has 2 problems to begin with:
- The search term you searched for is not displayed
in the input field.
- The links in the result list are missing the index
and because of that, are not giving the correct results.
To test:
- Go to the advanced search, select an index to search in
- Enter a search term and check 'scan indexes'
- Submit search
- Check if the search term is visible in the input box
- Check if the result links contain your selected index
and give you correct results (count and the number of
results should match)
Tested both patches together, works as expected.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If you click the clear button to clear the search term it does take the search
term away. However, the next time you click on "Saved reports" the search term
is still there.
TO TEST:
1. Reports > Use saved
2. Filter on anything (date/author/keyword). Let say "foo" in keyword.
3. Click the Clear link on the Filter form. You can see that "foo" is removed
from keyword, and all the saved reports are displayed.
4. Click "Saved Reports" on the left. You can see that "foo" reappears in
keyword filter.
5. Apply the patch, and repeat steps 2-4.
Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If an attacker can get an authenticated Koha user to visit their page with the
url below, they can change patrons' passwords
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked
Test plan:
Trigger
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked
=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If we do not fill a new userid, we should keep the old one.
Script member-password should pass that to Koha::Patron.
Otherwise things go wrong.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Without this patch, you could effectively disable a login.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Resolves the following comments:
I'd prefer to see a generate_csrf method than a CSRF flag.
It'd be better to use instead of require the 2 modules.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Move calls to WWW::CSRF to Koha::Token.
Send a safe random string to WWW::CSRF instead of letting CSRF make a
blocking call to Bytes::Random::Secure. If your server has not enough
entropy, opac-memberentry will hang waiting for more characters in
dev/random. Koha::Token uses Bytes::Random::Secure with the NonBlocking
flag.
Test plan:
[1] Do not yet apply this patch.
[2] If your server has not enough entropy, calling opac-memberentry may
take a while. But this not may be the case for you (no worries).
[3] Apply this patch.
[4] Verify that opac-memberentry still works as expected.
[5] Run t/Token.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Yes, my server had entropy trouble (reason for finding the problem).
This patch resolves the delay.
Tested all 3 patches together, works as expected.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' passwords or other
patrons'details
members/memberentry.pl?op=save&destination=circ&borrowernumber=3435&password=ZZZ&password2=ZZZ&nodouble=1
Test plan:
Trigger
members/memberentry.pl?op=save&destination=circ&borrowernumber=42&password=ZZZ&password2=ZZZ&nodouble=1
=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: removed the commented use Digest::MD5-line.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This was set to a version that is not available in Wheezy or Jessie.
The version is not required, the only change to 1.42 (packaged for
Wheezy and Jessie) is a fix for Windows, see
http://cpansearch.perl.org/src/PETDANCE/Test-WWW-Mechanize-1.44/Changes
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The more correct solution is fix that template file.
However, in the mean time, this works.
TEST PLAN
---------
1) find a record
2) edit record
3) click value builder for 007
4) change everything to pipes as much as possible.
(use Motion Picture to get all 00-22 values)
5) save
-- should save just fine.
6) click the value builder again
-- OOPS! Bad reload.
7) prove t/db_dependent/FrameworkPlugin.t
-- NOISY 007 messages.
8) apply patch
9) click the value builder again
-- good reload
10) prove t/db_dependent/FrameworkPlugin.t
-- No noise related to 007.
11) run koha qa test tools.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Search for something like:
\";alert(1)//135
=> Without this patch you will see the alert
=> With this patch, no more alert
Note that this fix the parameters idx, q and op
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Hit
/serials/serials-search.pl?ISSN_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
/serials/serials-search.pl?title_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
