I can't quite figure this out. When I run CGI version of Koha, I see following response (recorded using tcpdump):
HTTP/1.1 302 Found
Date: Thu, 27 Aug 2015 13:28:41 GMT
Server: Apache/2.4.10 (Debian)
Location: /cgi-bin/koha/acqui/basket.pl?basketno=5610
Vary: User-Agent
Content-Length: 0
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/x-perl
However, when running behind apache 2.4.10 on Debian wheezy I see chunked response:
HTTP/1.1 302 Found
Date: Thu, 27 Aug 2015 13:21:28 GMT
Server: Apache/2.4.10 (Debian)
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/x-perl
60
Transfer-Encoding: chunked
Date: Thu, 27 Aug 2015 13:21:28 GMT
Connection: keep-alive
0
0
This response doesn't work in firefox (where it reports page not found) nor in chrome (where it returns lines below 60 on screen).
In the template the hidden input 'basketno' is listed twice. What the cgi script reads in the parameter, what is does is concat the values of the multiple basketno instances together createing what is likely an invalid basketno. For reasons beyond my understanding this is what triggers this error!
Test Plan:
1) Using plack, add an order to a basket from an external source
2) Note the error
3) Apply this patch
4) Add an order to a basket from an external source
5) Note you get no error!
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Kyle M Hall
237c1483dd