Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/opac/opac-export.pl
Jared Camins-Esakov 35b6a5ea11 Bug 3652: close XSS vulnerabilities in opac-export 
The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.

To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
   (substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
   the browser.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-10-24 15:40:18 +02:00

98 lines
2.7 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# Parts Copyright Catalyst IT 2011
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Koha; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
use strict;
use warnings;
use C4::Record;
use C4::Auth;
use C4::Output;
use C4::Biblio;
use CGI;
use C4::Auth;
use C4::Ris;
my $query = new CGI;
my $op=$query->param("op")||''; #op=export is currently the only use
my $format=$query->param("format")||'utf8';
my $biblionumber = $query->param("bib")||0;
$biblionumber = int($biblionumber);
my ($marc, $error)= ('','');
$marc = GetMarcBiblio($biblionumber, 1) if $biblionumber;
if(!$marc) {
print $query->redirect("/cgi-bin/koha/errors/404.pl");
exit;
}
elsif ($format =~ /endnote/) {
$marc = marc2endnote($marc);
$format = 'endnote';
}
elsif ($format =~ /marcxml/) {
$marc = marc2marcxml($marc);
$format = 'marcxml';
}
elsif ($format=~ /mods/) {
$marc = marc2modsxml($marc);
$format = 'mods';
}
elsif ($format =~ /ris/) {
$marc = marc2ris($marc);
$format = 'ris';
}
elsif ($format =~ /bibtex/) {
$marc = marc2bibtex(C4::Biblio::GetMarcBiblio($biblionumber),$biblionumber);
$format = 'bibtex';
}
elsif ($format =~ /dc/) {
($error,$marc) = marc2dcxml($marc,1);
$format = "dublin-core.xml";
}
elsif ($format =~ /marc8/) {
($error,$marc) = changeEncoding($marc,"MARC","MARC21","MARC-8");
$marc = $marc->as_usmarc() unless $error;
$format = 'marc8';
}
elsif ($format =~ /utf8/) {
C4::Charset::SetUTF8Flag($marc,1);
$marc = $marc->as_usmarc();
$format = 'utf8';
}
elsif ($format =~ /marcstd/) {
C4::Charset::SetUTF8Flag($marc,1);
($error,$marc) = marc2marc($marc, 'marcstd', C4::Context->preference('marcflavour'));
$format = 'marcstd';
}
else {
$error= "Format $format is not supported.";
}
if ($error){
print $query->header();
print $query->start_html();
print "<h1>An error occurred </h1>";
print $query->escapeHTML("$error");
print $query->end_html();
}
else {
print $query->header(
-type => 'application/octet-stream',
-attachment=>"bib-$biblionumber.$format");
print $marc;
}
View git blame Copy permalink