David Cook
dcd698a4b4
This change validates and escapes inputs for task scheduler. Test plan: 0. Apply patch 1. koha-plack --reload kohadev 2. Go to http://localhost:8081/cgi-bin/koha/tools/scheduler.pl 3. Input a time a minute in the future and leave the date blank 4. Choose an existing report and output format 5. Type a malicious string which is also a valid email address into the Email field 6. Click "Save" 7. Note that the job is added but the Email is wrapped in single quotes 8. Try using a non-malicious email address with a single quote. 9. Note that the single quote is escaped, so that it will still be used by runreport.pl JD amended patch: tidy Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> [EDIT] Removed pars for $email =~ regex, removed old commented lines. Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> |
||
|---|---|---|
| .. | ||
| csv-profiles | ||
| access_files.pl | ||
| additional-contents.pl | ||
| ajax-inventory.pl | ||
| automatic_item_modification_by_age.pl | ||
| batch_delete_records.pl | ||
| batch_extend_due_dates.pl | ||
| batch_record_modification.pl | ||
| batch_records_ajax.pl | ||
| batchMod.pl | ||
| cleanborrowers.pl | ||
| copy-holidays.pl | ||
| csv-profiles.pl | ||
| exceptionHolidays.pl | ||
| export.pl | ||
| holidays.pl | ||
| import_borrowers.pl | ||
| inventory.pl | ||
| letter.pl | ||
| manage-marc-import.pl | ||
| marc_modification_templates.pl | ||
| modborrowers.pl | ||
| newHolidays.pl | ||
| overduerules.pl | ||
| page.pl | ||
| picture-upload.pl | ||
| problem-reports.pl | ||
| quotes-upload.pl | ||
| quotes.pl | ||
| scheduler.pl | ||
| showdiffmarc.pl | ||
| stage-marc-import.pl | ||
| stockrotation.pl | ||
| tools-home.pl | ||
| upload-cover-image.pl | ||
| upload-file.pl | ||
| upload.pl | ||
| viewlog.pl | ||