Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/svc/report
Marcel de Rooy bfbbe52ff7 Bug 21115: Add multi_param call and add divider in cache key in svc/report and opac counterpart 
Resolve things like:
CGI::param called in list context from package CGI::Compile::ROOT::usr_share_koha_prodclone_opac_svc_report line 42, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.

The cache key in both script looks like:
    opac:report:id:602018
but should for consistency be:
    opac:report:id:60:2018
Note: The 2018 here is part of the sql_params and should not be
concatenated to the report id.

Test plan:
Do not yet apply this patch.
Make a report public, set cache to 300 secs.
Check its output with opac/svc/report.
Check for the warn in your log.
Apply the patch, restart Plack and flush cache.
Check opac/svc/report.
Modify your report; e.g. add a simple string to the SELECT.
Check opac/svc/report. You should still see cached output.
Flush the cache.
Check opac/svc/report. You should now see the added text.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested also by clearing individual keys with $cache->clear_from_cache.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-15 13:45:42 +00:00

94 lines
2.8 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# This file is part of Koha.
#
# Copyright (C) 2011 Chris Cormack <chris@bigballofwax.co.nz>
# Copyright (C) 2013 Mark Tompsett
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use C4::Auth;
use C4::Reports::Guided;
use Koha::Reports;
use JSON;
use CGI qw ( -utf8 );
use Koha::Caches;
my $query = CGI->new();
my $report_id = $query->param('id');
my $report_name = $query->param('name');
my $report_annotation = $query->param('annotated');
my $report_recs = Koha::Reports->search( $report_name ? { 'report_name' => $report_name } : { 'id' => $report_id } );
if (!$report_recs || $report_recs->count == 0 ) { die "There is no such report.\n"; }
my $report_rec = $report_recs->next();
my @sql_params = $query->multi_param('sql_params');
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{
template_name => "intranet-main.tt",
query => $query,
type => "intranet",
authnotrequired => 0,
flagsrequired => { catalogue => 1, },
}
);
my $cache = Koha::Caches->get_instance();
my $cache_active = $cache->is_cache_active;
my ($cache_key, $json_text);
if ($cache_active) {
$cache_key = "intranet:report:".($report_name ? "report_name:$report_name:" : "id:$report_id:")
. join( '-', @sql_params );
$json_text = $cache->get_from_cache($cache_key);
}
unless ($json_text) {
my $offset = 0;
my $limit = C4::Context->preference("SvcMaxReportRows") || 10;
my $sql = $report_rec->savedsql;
# convert SQL parameters to placeholders
$sql =~ s/(<<.*?>>)/\?/g;
my ( $sth, $errors ) = execute_query( $sql, $offset, $limit, \@sql_params, $report_id );
if ($sth) {
my $lines;
if ($report_annotation) {
$lines = $sth->fetchall_arrayref({});
}
else {
$lines = $sth->fetchall_arrayref;
}
$json_text = encode_json($lines);
if ($cache_active) {
$cache->set_in_cache( $cache_key, $json_text, { expiry => $report_rec->cache_expiry } );
}
}
else {
$json_text = encode_json($errors);
}
}
print $query->header(
-charset => 'UTF-8',
-type => 'application/json'
);
print $json_text;
View git blame Copy permalink