Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/opac/opac-showmarc.pl
Tomas Cohen Arazi 4452036d1c
Bug 25009: Avoid leakages in opac-showmarc.pl 
This patch cleans opac-showmarc.pl so it doesn't allow retrieving
records from import batches without requiring any permissions in the
OPAC.

it does so by just removing the code portion that does that.

It also cleans the record fetch operation and how the record processor
is initialized to it actually works :-D

To test:
1. Perform a successful Z39.50 search in cataloguing (this fetches 20
   records usually)
2. Query your DB for a valid import_record_id:
  $ koha-mysql kohadev
  > SELECT * FROM import_records LIMIT 1;
3. Notice some of the MARCXML details (title, author, etc), and the
   import_record_id
4. Point your browser to the opac-showmarc.pl URL like this:
   http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20
=> FAIL: You get the record! (Bonus: no field/subfield takes place)
5. Hide some obvious subfield on the framework for a known (to you)
   biblionumber
6. Point your browser to:
   http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id=<biblionumber_here>
=> FAIL: No filtering takes place
7. Apply this patch
8. Repeat 4
=> SUCCESS: You get an error because you did a bad request (no id param)
9. Repeat 6
=> SUCCESS: Subfield filtering actually works!
10. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-04-27 10:44:10 +01:00

92 lines
2.5 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# Copyright 2007 Liblime
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
# standard or CPAN modules used
use CGI qw ( -utf8 );
use Encode;
# Koha modules used
use C4::Context;
use C4::Output;
use C4::Auth;
use C4::Biblio;
use C4::ImportBatch;
use C4::XSLT ();
use C4::Templates;
use Koha::RecordProcessor;
my $input = new CGI;
my ( $template, $loggedinuser, $cookie ) = get_template_and_user({
template_name => "opac-showmarc.tt",
query => $input,
type => "opac",
authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ),
debug => 1,
});
my $biblionumber = $input->param('id');
unless ( $biblionumber ) {
print $input->redirect("/cgi-bin/koha/errors/400.pl");
exit;
}
my $biblio;
$biblio = Koha::Biblios->find( $biblionumber, { prefetch => [ 'metadata' ] } );
unless ( $biblio ) {
print $input->redirect('/cgi-bin/koha/errors/404.pl');
exit;
}
my $view= $input->param('viewas') || 'marc';
my $record_processor = Koha::RecordProcessor->new(
{
filters => 'ViewPolicy',
options => {
interface => 'opac',
frameworkcode => $biblio->frameworkcode
}
}
);
my $record = $biblio->metadata->record;
if(!ref $record) {
print $input->redirect("/cgi-bin/koha/errors/404.pl");
exit;
}
$record_processor->process($record);
if ($view eq 'card' || $view eq 'html') {
my $xml = $record->as_xml;
my $xsl = $view eq 'card' ? 'compact.xsl' : 'plainMARC.xsl';
my $htdocs = C4::Context->config('opachtdocs');
my ($theme, $lang) = C4::Templates::themelanguage($htdocs, $xsl, 'opac', $input);
$xsl = "$htdocs/$theme/$lang/xslt/$xsl";
output_html_with_http_headers $input, undef, Encode::encode_utf8(C4::XSLT::engine->transform($xml, $xsl));
}
else { #view eq marc
$template->param( MARC_FORMATTED => $record->as_formatted );
output_html_with_http_headers $input, $cookie, $template->output;
}
View git blame Copy permalink