Main Koha release repository https://koha-community.org
Find a file
Amit Gupta 50968f4c3f
Bug 37323: Escape characters in patron image picture upload
To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
   where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
   "xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5c931e00f73e91467581fd29721e5af8d7fa98ab)
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-08-16 16:22:19 +02:00
acqui Bug 37343: Fixed search for vendors when transferring an item in acquistions 2024-07-22 07:37:24 +01:00
admin Bug 37263: Fix URL param retrieval 2024-08-02 18:59:56 +02:00
api Bug 36217: Fix background jobs page's include_last_hour filter 2024-08-09 17:36:19 +02:00
authorities Bug 37235: Fix export of single authority record 2024-07-08 17:49:19 +02:00
basket Bug 34478: Add 'op' to sendbasketform 2024-03-01 10:58:53 +01:00
bin
bookings
C4 Bug 37104: (Follow-up) Checks for unitialized value of 'anonymous_patron' system pref 2024-08-16 16:22:19 +02:00
catalogue Bug 37425: Check for existence of biblio object before fetching cover images 2024-07-25 11:01:29 +01:00
cataloguing Bug 37371: Move Maskito init to onReady in dateaccessioned.pl 2024-07-22 07:33:18 +01:00
circ Bug 37210: Properly escape SQL query parameters by using bind values 2024-08-01 17:26:46 +02:00
clubs Bug 34478: Manual fix - add op clubs/templates-add-modify 2024-03-01 10:57:55 +01:00
course_reserves Bug 28762: Use Koha::Course in course-details controller 2024-07-23 16:04:05 +01:00
debian Bug 29507: Speed up auto renew cronjob via parallel processing 2024-07-05 15:48:11 +02:00
docs Bug 37003: (follow-up) Amend 22.11 RMaint 2024-06-25 18:34:14 +02:00
erm
errors Bug 36148: Improve error handling and restore programming errors 2024-03-01 11:01:06 +01:00
etc Bug 29507: Speed up auto renew cronjob via parallel processing 2024-07-05 15:48:11 +02:00
ill Bug 35106: CSRF fix 2024-04-29 18:53:09 +02:00
installer Bug 37593: Removed all instances of 'this this' in the codebase 2024-08-16 16:22:17 +02:00
Koha Bug 37593: Removed all instances of 'this this' in the codebase 2024-08-16 16:22:17 +02:00
koha-tmpl Bug 37575: Typo 'AutoCreateAuthorites' in about.pl 2024-08-16 16:22:18 +02:00
labels Bug 37206: Removing an item from a label batch should be a CSRF-protected POST operation 2024-07-02 17:20:38 +02:00
lib Bug 35681: Use ::Bootstrap version of FromANSI 2024-05-02 16:47:39 +02:00
members Bug 28924: (QA follow-up) Use $self instead of $patron 2024-07-18 18:25:55 +02:00
misc Bug 37613: (Follow-up) Change the option and documentation to match terminology guidelines 2024-08-12 14:01:07 +02:00
offline_circ Bug 34478: Changes for offline_circ 2024-03-01 10:58:34 +01:00
opac Bug 37339: Set messaging preferences from default on self registration 2024-07-18 17:53:11 +02:00
patron_lists Bug 34478: Changes for patron_lists/add-modify 2024-03-01 10:57:41 +01:00
patroncards Bug 36877: (follow-up) Fix op eq edit to op eq edit_form in edit-batch.pl 2024-05-17 12:03:52 +02:00
plugins Bug 30897: Add option to disable automated restart 2024-04-11 16:53:42 +02:00
pos Bug 33478: Apply formatting to RECEIPT 2024-04-26 20:15:44 +02:00
preservation
recalls Bug 33478: Apply formatting to RECALL_REQUESTER_DET 2024-04-26 20:15:45 +02:00
reports Bug 37108: Cash register statistics wizard is wrongly sorting payment by manager_id branchcode 2024-07-12 10:21:29 +02:00
reserve Bug 30579: Disentangle multi-hold and single bib forms 2024-05-07 15:53:57 +02:00
reviews Bug 37074: Comment approval and un-approval should be CSRF-protected 2024-08-01 17:26:34 +02:00
rotating_collections Bug 34478: Manual fix - add op - rotating_collections/addItems 2024-03-01 10:57:33 +01:00
serials Bug 37247: Fix display of "closed" 2024-08-01 17:26:38 +02:00
services
skel
suggestion Bug 37337: Pass the save $op when biblio_exists 2024-07-18 17:53:12 +02:00
svc Bug 37031: Club enrollment from staff interface fails due to Entrollment typo 2024-07-11 13:40:49 +02:00
t Bug 37575: Typo 'AutoCreateAuthorites' in about.pl 2024-08-16 16:22:18 +02:00
tags Bug 34478: Add 'op' to tags/review 2024-03-01 10:58:25 +01:00
tools Bug 37323: Escape characters in patron image picture upload 2024-08-16 16:22:19 +02:00
virtualshelves Bug 37285: (QA follow-up) Perl Tidy 2024-07-26 13:56:33 +01:00
xt Bug 37018: Add 400 response definition to all routes 2024-08-01 17:26:44 +02:00
.editorconfig
.eslintrc.json Bug 36400: Centralize {js,ts,vue} formatting config in .prettierrc.js 2024-04-22 08:57:39 +02:00
.gitignore Bug 36546: (QA follow-up) Add bundle spec to .gitignore 2024-04-30 15:55:37 -03:00
.htaccess
.mailmap Bug 36943: (follow-up) 24.05.00 - Update .mailmap 2024-05-24 15:36:40 +02:00
.perlcriticrc
.perltidyrc
.prettierrc.js Bug 36400: (follow-up) remove option editorconfig from .prettierrc.js 2024-04-22 08:57:40 +02:00
.proverc.dist
.stylelintrc.json
about.pl Bug 37260: Check message broker for both 'about' and 'sysinfo' tabs 2024-07-22 07:35:31 +01:00
app.psgi Bug 36149: Add userenv middleware to app.psgi 2024-05-14 15:04:37 -03:00
build-resources.PL
changelanguage.pl
cpanfile Bug 25159: Add ability to specify a pre-modified version of action log data and store as diff 2024-05-02 16:47:42 +02:00
cypress.config.ts Bug 36012: Extend cypress's requestTimeout value 2024-03-22 15:07:36 +01:00
fix-perl-path.PL
gulpfile.js Bug 36730: (Bug 35428 follow-up) po files (sometimes) fail to update 2024-05-07 15:53:44 +02:00
help.pl
INSTALL
Koha.pm Bug 36758: DBRev 24.06.00.023 2024-08-09 18:44:52 +02:00
kohaversion.pl
LICENSE
mainpage.pl Bug 30493: (QA follow-up) Fix for the only_my_library case as well 2024-06-21 15:02:54 +02:00
Makefile.PL Bug 36546: Deploy swagger_bundle.json via make 2024-04-30 14:32:10 +02:00
MANIFEST.SKIP
package.json Bug 37303: Replace po2json with a JS version 2024-07-26 14:49:53 +01:00
README
README.md
README.robots
rewrite-config.PL
tsconfig.json
webpack.config.js Bug 35919: Add record sources admin page 2024-04-26 17:06:04 +02:00
yarn.lock Bug 37303: Update yarn.lock after adding new dependency to packages.json 2024-08-05 15:32:23 +02:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo