David Cook
623e1c5912
This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 73b0c3cf621250008845f22f7a36f90a48e00b06)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
157 lines
3.4 KiB
Perl
Executable file
157 lines
3.4 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
# Copyright 2014 ByWater Solutions
|
|
#
|
|
# This file is part of Koha.
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Koha; if not, see <http://www.gnu.org/licenses>.
|
|
|
|
use Modern::Perl;
|
|
|
|
use CGI qw(header);
|
|
use GD::Barcode;
|
|
|
|
use C4::Auth qw(check_cookie_auth);
|
|
|
|
=head1 NAME
|
|
|
|
/cgi-bin/koha/svc/barcode
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
This service generates a PNG barcode image for the requested barcode.
|
|
|
|
=head2 PARAMETERS
|
|
|
|
=over
|
|
|
|
=item I<barcode>
|
|
|
|
I<barcode> is the desired barcode. It should be called like:
|
|
|
|
=item I<type>
|
|
|
|
I<type> is the desired barcode type. Possible values are
|
|
Code39
|
|
UPCE
|
|
UPCA
|
|
QRcode
|
|
NW7
|
|
Matrix2of5
|
|
ITF
|
|
Industrial2of5
|
|
IATA2of5
|
|
EAN8
|
|
EAN13
|
|
COOP2of5
|
|
|
|
If ommited,it defaults to Code39.
|
|
|
|
=item I<notext>
|
|
|
|
Unless I<notext=1> is specified in the parameter list, the
|
|
value of the barcode will included as text below the
|
|
scannable barcode.
|
|
|
|
|
|
=back
|
|
|
|
=head2 EXAMPLES
|
|
|
|
=over
|
|
|
|
=item /cgi-bin/koha/svc/barcode?barcode=123456789
|
|
|
|
Returns a Code39 barcode image for barcode 123456789
|
|
|
|
=item /cgi-bin/koha/svc/barcode?barcode=123456789&type=UPCE
|
|
|
|
Returns a UPCE barcode image for barcode 123456789
|
|
|
|
=item /cgi-bin/koha/svc/barcode?barcode=123456789¬ext=1
|
|
|
|
Returns a Code39 barcode image for barcode 123456789
|
|
which does not include the human readable text '123456789'
|
|
below the scannable barcode.
|
|
|
|
=back
|
|
|
|
=cut
|
|
|
|
my %type_mapping = (
|
|
Code39 => 1,
|
|
UPCE => 1,
|
|
UPCA => 1,
|
|
QRcode => 1,
|
|
NW7 => 1,
|
|
Matrix2of5 => 1,
|
|
ITF => 1,
|
|
Industrial2of5 => 1,
|
|
IATA2of5 => 1,
|
|
EAN8 => 1,
|
|
EAN13 => 1,
|
|
COOP2of5 => 1,
|
|
);
|
|
|
|
my $input = CGI->new;
|
|
|
|
my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => '*' } );
|
|
|
|
if ( $auth_status ne "ok" ) {
|
|
exit 0;
|
|
}
|
|
|
|
binmode(STDOUT);
|
|
|
|
my $type = $input->param('type') || '';
|
|
my $barcode = $input->param('barcode');
|
|
my $notext = $input->param('notext') ? 1 : 0;
|
|
my $height = $input->param('height') || 50;
|
|
my $qrcode_modulesize = $input->param('modulesize') || "5"; # 1+
|
|
my $image;
|
|
|
|
# Validate the barcode type. Default to Code39 if no type or unsupported type sent.
|
|
if ( !$type_mapping{$type} ) {
|
|
$type = 'Code39';
|
|
}
|
|
|
|
if ( $type eq 'Code39' ) {
|
|
$barcode = '*' . $barcode unless $barcode =~ /^\*/;
|
|
$barcode = $barcode . '*' unless $barcode =~ /\*$/;
|
|
}
|
|
|
|
eval {
|
|
if( $type eq "QRcode" ){
|
|
$image = GD::Barcode->new('QRcode', $barcode, { Ecc => "M", ModuleSize => $qrcode_modulesize } )->plot->png();
|
|
} else {
|
|
# BZ 37464 - $type must be validated as GD::Barcode unsafely passes this argument directly to an eval{} block
|
|
$image = GD::Barcode->new( $type, $barcode )->plot( NoText => $notext, Height => $height )->png();
|
|
}
|
|
};
|
|
|
|
if ( $@ ) {
|
|
# problem creating image
|
|
print header( -status => 500 );
|
|
} else {
|
|
print header('image/png');
|
|
print $image;
|
|
}
|
|
|
|
exit 0;
|
|
|
|
=head1 AUTHOR
|
|
|
|
Kyle M Hall <kyle@bywatersolutions.com>
|
|
|
|
=cut
|