David Cook
ff7b6a09de
This change validates and escapes inputs for task scheduler.
Test plan:
0. Apply patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/tools/scheduler.pl
3. Input a time a minute in the future and leave the date blank
4. Choose an existing report and output format
5. Type a malicious string which is also a valid email address
into the Email field
6. Click "Save"
7. Note that the job is added but the Email is wrapped in single
quotes
8. Try using a non-malicious email address with a single quote.
9. Note that the single quote is escaped, so that it will still
be used by runreport.pl
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed pars for $email =~ regex, removed old commented lines.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| csv-profiles | ||
| access_files.pl | ||
| additional-contents.pl | ||
| ajax-inventory.pl | ||
| automatic_item_modification_by_age.pl | ||
| background-job-progress.pl | ||
| batch_delete_records.pl | ||
| batch_extend_due_dates.pl | ||
| batch_record_modification.pl | ||
| batch_records_ajax.pl | ||
| batchMod.pl | ||
| cleanborrowers.pl | ||
| copy-holidays.pl | ||
| csv-profiles.pl | ||
| exceptionHolidays.pl | ||
| export.pl | ||
| holidays.pl | ||
| import_borrowers.pl | ||
| inventory.pl | ||
| letter.pl | ||
| manage-marc-import.pl | ||
| marc_modification_templates.pl | ||
| modborrowers.pl | ||
| newHolidays.pl | ||
| overduerules.pl | ||
| page.pl | ||
| picture-upload.pl | ||
| problem-reports.pl | ||
| quotes-upload.pl | ||
| quotes.pl | ||
| scheduler.pl | ||
| showdiffmarc.pl | ||
| stage-marc-import.pl | ||
| stockrotation.pl | ||
| tools-home.pl | ||
| upload-cover-image.pl | ||
| upload-file.pl | ||
| upload.pl | ||
| viewlog.pl | ||