Commit graph

14 commits

Author SHA1 Message Date
a70980d825 Bug 17900: Fix possible SQL injection in patron cards template editing
To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:19:55 +00:00
a159d2b067 Bug 16154: CGI->multi_param - Assign a list
This patch replaces the occurrences of
  @foo = $cgi->param('foo');
with
  @foo = $cgi->multi_param('foo');

perl -p -i -e
's/^(\s*@\w+\s*=\s*)\$(cgi|input|query)\->param\(/$1\$$2\->multi_param\(/xms'
**/*.pl

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-04-26 23:16:43 +00:00
Jonathan Druart
a6c9bd0eb5 Bug 9978: Replace license header with the correct license (GPLv3+)
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

http://bugs.koha-community.org/show_bug.cgi?id=9987

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-20 09:59:38 -03:00
Jonathan Druart
e20270fec4 Bug 11944: use CGI( -utf8 ) everywhere
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-13 13:07:21 -03:00
afd2418d73 Bug 11349: Change .tmpl -> .tt in scripts using templates
Since we switched to Template Toolkit we don't need to stick with the
sufix we used for HTML::Template::Pro.

This patch changes the occurences of '.tmpl' in favour of '.tt'.

To test:
- Apply the patch
- Install koha, and verify that every page can be accesed

Regards
To+

P.S. a followup will remove the glue code.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-17 11:05:49 -03:00
a12629d1f0 Bug 8943 - Add table sorting to labels - Followup - Sort pulldowns in batch export.
Signed-off-by: Melia Meggs <melia@bywatersolutions.com>
Signed-off-by: Nora Blake <nblake@masslibsystem.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests and QA script pass.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-31 08:33:42 -04:00
Dobrica Pavlinusic
130e3d9c10 Bug 8315 - remove use C4::* version
This patch touches a lot of code, but basically it removes version
information from use C4::* in our code.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
All script still compiles after the patch (confirmed by pre-applypatch hook)
2012-07-13 14:17:20 +02:00
Chris Nighswonger
7824a1bc8d Bug 7207 - Reverting a portion of commit 607b5449bd which breaks the label export script.
squashed chris_n's two patches. Label export works again. Also changed the pattern for the item_number to the known working, critic friendly pattern.

Don't change $_ in a list context

Changed the 3rd bit to the critic friendly pattern chris_n suggests in the previous two lines.

Signed-off-by: Brendan <brendan@bywatersolutions.com>
2011-11-16 17:55:35 +01:00
Chris Cormack
607b5449bd Bug 6679 : Don't declare variables in conditionals Don't change $_ in a list context http://search.cpan.org/~elliotjs/Perl-Critic-1.116/lib/Perl/Critic/Policy/ControlStructures/ProhibitMutatingListFunctions.pm
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2011-11-06 18:12:58 +01:00
Lars Wirzenius
772ada9bf3 Fix FSF address in directory labels/
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-03-16 20:17:50 -04:00
Chris Nighswonger
4a675bcaad [5/30] A rework of Label Creator code
This rework removes code held in common with the Patron Card Creator
and move is to the new C4::Creators module.
2010-01-11 18:16:52 -05:00
dd08a539dc remove unnecesary import of HTM:::Template::pro
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2009-09-05 21:43:12 -04:00
Chris Nighswonger
39d227d712 [24/40] Adding single/multiple label printing to label export code and interface.
This adds single/multiple label printing by item number along with new CSV and XML export code.
2009-09-01 15:51:58 -04:00
Chris Nighswonger
51db13b8da [23/40] Initial work on label export interface. 2009-09-01 15:51:47 -04:00