Marcel de Rooy [Fri, 14 Feb 2025 07:27:13 +0000 (07:27 +0000)]
Bug 36081: (QA follow-up) Resolve IsNotDebit exception in ArticleRequests.t
Resolve (when running ArticleRequests.t):
Exception 'Koha::Exceptions::Account::IsNotDebit' thrown 'Account line 326 is not a debit'
This occurs after switching from ArticleRequest->new to TestBuilder.
TestBuilder creates an account line that has a credit_type_code and
a debit_type_code. (This could be fixed further somewhere else.)
For now, just setting debit_id to NULL.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Jonathan Druart [Mon, 10 Feb 2025 10:31:34 +0000 (11:31 +0100)]
Bug 36081: Fix some failing tests
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Jonathan Druart [Fri, 31 Jan 2025 13:42:49 +0000 (14:42 +0100)]
Bug 36081: Mock format
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Jonathan Druart [Fri, 31 Jan 2025 13:10:03 +0000 (14:10 +0100)]
Bug 36081: Force TestBuilder to generate a valid format value
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Jonathan Druart [Thu, 30 Jan 2025 15:48:40 +0000 (16:48 +0100)]
Bug 36081: Use multivalue_preference
C4::Context->multivalue_preference is not used so far and split on |
However the values of "multiple" sysprefs are separated by... comma!
Let support both here.
This patch also removes silly JS code in the template.
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Marcel de Rooy [Tue, 13 Feb 2024 13:32:06 +0000 (13:32 +0000)]
Bug 36081: Check SupportedFormats server side
Test plan:
Add article request with format via OPAC.
Run t/db_dependent/Koha/ArticleRequest.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tests in t/db_dependent/Koha/ArticleRequest.t pass. I can add an
article request with a type. If I allow PHOTOCOPY but change the
HTML in the OPAC form so SCAN is submitted I get a nice (but
somewhat generic) error.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 28907: REST - Drop support for allow-owner functionality
...and allow-guarantor functionality. Replaced by $c->auth->public($patron_id)
and/or $c->auth->public_guarantor($patron_id), where $patron_id is the patron's
id that owns the requested resource.
Old method, was applicable to both privileged and public routes:
New method, use public routes with no x-koha-authorization:
GET /public/route/{patron_id}
Koha/REST/V1/Controller#public_action:
sub public_action {
my $c = shift->openapi->valid_input or return;
my $patron_id = $c->param( 'patron_id' );
try {
# Throws an exception that will render a response of 401 if not
# authenticated and 403 if trying to access another user's resources
$c->auth->public($patron_id); #or $c->auth->public_guarantor($patron_id)
...
# other code
...
}
catch {
$c->unhandled_exception($_);
}
}
Another example of retrieving $patron_id when patron_id is not a request
parameter:
GET /public/another/object/{another_object_id}
my $patron_id = Another::Object->find($another_object_id)->borrowernumber;
try {
# 403 if $another_object_id does not belong to API user
$c->auth->public($patron_id);
...
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
https://bugs.koha-community.org/show_bug.cgi?id=28907 Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
David Cook [Thu, 20 Feb 2025 00:04:39 +0000 (00:04 +0000)]
Bug 39170: Improve validation of report ID
This change improves the validation of the report ID passed by the user.
Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Create a SQL report
3. Go to /cgi-bin/koha/tools/scheduler.pl
4. Add in a Time, Date, and Email
5. Choose your report from the list
6. Click "Save"
7. Note that your report is saved
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: JesseM <jesse@bywatersolutions.com>
David Cook [Mon, 18 Nov 2024 04:46:31 +0000 (04:46 +0000)]
Bug 38469: Replace single quotes with double quotes to prevent XSS
This change replaces single quotes with double quotes to prevent XSS
for particular operations on the circ returns page.
Test plan:
0. Apply the patch
1. Go to http://localhost:8081/cgi-bin/koha/circ/returns.pl?print_slip=1&reserve_id=1
2. Note that a pring slip is generated
(you may need to allow popups)
3. To test the XSS is patched, try the proof-of-concept from the
bug report
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: JesseM <jesse@bywatersolutions.com>
Magnus Enger [Wed, 4 Sep 2024 06:13:05 +0000 (08:13 +0200)]
Bug 37816: Stop SIP2 from logging passwords
Koha's SIP2 server does a lot of logging, including all incoming
requests, in full. This means that passwords are logged, both for
the user the SIP2 client uses for logging into Koha, as well as
for the end users who provide a password to e.g. check something
out. This patch replaces passwords with three asterisks in
log strings, before they are written to the log.
To test, in ktd:
- Run the new tests:
$ prove t/db_dependent/SIP/Sip.t
- Tail the SIP2 logs:
$ sudo tail -f /var/log/koha/kohadev/sip*.log
- Telnet into the SIP2 server:
$ telnet localhost 6001
- Try logging in by pasting this into the telnet session:
"9300CNterm1|COmypassword|CPCPL|"
- Verify that "mypassword" is replaced by "***" in the logs
- Try different values for the password, including the correct password
which is "term1" in ktd
- Try other SIP2 messages that include password fields (AC, AD, CO)
Update 2024-12-03: Fix issues pointed out by QA.
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
(cherry picked from commit cb20df02a8baf02c9f7de52f37c44f33f6e371eb) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: Jesse Maseto <jesse@bywatersolutions.com> Signed-off-by: JesseM <jesse@bywatersolutions.com>
David Cook [Mon, 18 Nov 2024 05:15:26 +0000 (05:15 +0000)]
Bug 38470: Add missing double quotes to some Javascript
This change adds some double quotes where quotes were missing,
and replaces single quotes with double quotes, which prevents XSS.
Test plan:
0. Apply the patch
1. Create a subscription
2. Using the ID from the subscription, go to this page:
http://localhost:8081/cgi-bin/koha/serials/subscription-detail.pl?
print_routing_list_issue=1&subscriptionid=<SUBSCRIPTIONID>
3. Note that you're able to generate a print slip
(You may need to allow popups)
4. To check the security vulnerability is fixed, try the proof-of-concepts
attached to the bug report
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e4295598a2b07f5e102b0fec4c206c0b4f394525) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9933fb21e9f303a1033df67184b375a7febad5a4) Signed-off-by: JesseM <jesse@bywatersolutions.com>
David Cook [Mon, 18 Nov 2024 04:14:37 +0000 (04:14 +0000)]
Bug 38468: Add double quotes to some template strings
This change adds double quotes to some template strings where
quotes are missing all together or single quotes are used incorrectly.
Test plan:
0. Apply the patch
1. Go to http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=test
2. Click on "Gairm"
3. Use the search result navigation box to go to the next result
On the left of the page. Just bellow the breadcrumb and
left of the record title.
4. Note that everything loads correctly
5. To test that the security hole has been fixed, try some of the
proof-of-concept attacks provided for biblionumber and searchid
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Baptiste Wojtkowski <baptiste.wojtkowski@biblibre.com> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 6456c0b98d5f1767c8e4d9b389a5ca11264effdc) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1065ec6aabb4f6a8d07f0ec960367456d1452ca6) Signed-off-by: JesseM <jesse@bywatersolutions.com>
David Cook [Thu, 17 Oct 2024 05:35:56 +0000 (05:35 +0000)]
Bug 37727: Prevent CSV Formula injection via DataTables
This change prevents CSV Formula injection on DataTables exports
by escaping formula with a single quote prefix as per OWASP recommendations.
Test plan:
0. Apply patch
1. Go to http://localhost:8081/cgi-bin/koha/members/memberentry.pl
?op=edit_form&destination=circ&borrowernumber=51
2. Add the following in a "Circulation note"
=SUM(1+1)
3. Go to http://localhost:8081/cgi-bin/koha/members/member.pl
?quicksearch=1&circsearch=1&searchmember=koha
4. Click "Export" and choose "Excel" and "CSV"
5. Open those downloaded files in Excel
6. Note that the =SUM(1+1) function is prefixed with a single quote,
and is not automatically executed
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised. The problematic "cell" is exported as "'=SUM(1+1)". Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit dcb5cc10512ebbc2887bf8a3a3ebbaacf8fec553) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1ed737eb401e24d1986a61a72a3e918694b6d9a9) Signed-off-by: JesseM <jesse@bywatersolutions.com>
David Cook [Mon, 26 Aug 2024 01:22:12 +0000 (01:22 +0000)]
Bug 37724: Remove Koha version number from OPAC
This change removes the Koha version number from the OPAC generator
metadata.
Test plan:
0. Apply patch
1. Enable syspref SelfCheckInModule
2. Visit /cgi-bin/koha/opac-main.pl and confirm meta tag doesn't
include version number
3. Visit /cgi-bin/koha/sci/sci-main.pl and confirm meta tag doesn't
include version number
4. Visit /cgi-bin/koha/sco/sco-main.pl) and confirm meta tag doesn't
include version number
5. Click "Help" and confirm meta tag doesn't include version number
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 3d2b98e8894175fddc02a021e8bebe4db6bc30ca) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Kyle M Hall [Thu, 27 Jul 2023 16:30:54 +0000 (12:30 -0400)]
Bug 33339: Prevent Formula Injection (CSV Injection) in CSV files
The system is vulnerable to Formula Injection attacks as the data
stored within the database and exported as CSV/Excel is not being
sanitized or validated against implanted formula payloads
This patch modifies all uses of Text::CSV and derived classes to pass
the "formula" parameter with value of "empty" which replaces formulas
by empty string.
Test Plan:
1) Apply this patch
2) For guided_reports.pl, attempt to export CSV where you've set a column to a formula somehow
( such as "=1+3" )
3) Export that CSV file
4) Note the formula has not been exported
5) Repeat this plan for the remaining scripts that export CSV files
where users can define the outputted data
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Fixed two conflicts. I have tested that this works as advertised on:
- Reports (Download > Comma separated text (.csv)) [Text::CSV::Encoded]
- Circulation > Overdues > Download file of all overdues [Text::CSV_XS]
- misc/export_borrowers.pl [Text::CSV]
This covers all modules used, and both GUI and command line.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Change none to empty in the commit message ! None is the default,
doing nothing. Empty clears the formulas. Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 96152682bf30fb896a5bef804e39565604f9363f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Jonathan Druart [Wed, 23 Oct 2024 10:12:13 +0000 (12:12 +0200)]
Bug 38234: Remove unused jszip.min.js file
This specific file is not used since Bug 23013 ("Upgrade DataTables in the staff client")
This version is vulnerable and should not be used in the future anyway.
There is a version embedded in our DataTables bundle, which is jszip-3.10.1.
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 606a24c1978078fecd923cf32deff7e56dab47d7) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Bug 37737: [23.11] Fixed report permissions to prevent disallowed duplication
Test plan:
1. Checkout 23.11
2. Create a report
3. Create a user with staff login and run reports permissions
4. Log in as your new user
5. Preview the SQL of the report
6. In the preview modal, select Duplicate report
7. Apply patch
8. Repeat steps 4-6.
9. You should be prompted to login.
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 87817b1e0ad1689eb8bbfc93e46355d5e376632f) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Artur [Sat, 7 Sep 2024 16:12:05 +0000 (18:12 +0200)]
Bug 37861: Fix XSS vulnerability in barcode append function
When user inputs were appended directly to the barcode table, the values were not properly escaped, allowing potential XSS attacks. This patch ensures that user inputs are sanitized and safely added to the DOM using .text() and .attr() methods to prevent script injection.
To test:
Enable the "SelfCheckInModule".
Open the barcode input form.
Enter a barcode with HTML or script tags.
Without the patch, observe that the script is executed.
Apply the patch.
Repeat step 2.
Verify that the input is escaped and no script execution occurs.
Check that the barcode is properly appended to the table.
Documentation:
No updates required.
Sponsored-by: KillerRabbitAos Signed-off-by: Bo Gustavsson <bosse@gustavsson.one> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit b576548223badb76272e9f28c1b24ca0e87caebf) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Andreas Jonsson [Thu, 16 May 2024 07:38:09 +0000 (09:38 +0200)]
Bug 36879: Spurious warning in QueryBuilder
Test plan:
With ElasticSearch enabled,
* Perform a search using the default sort order
(i.e. 'relevance').
* Verify that no warnings are generated in
plack-intranet-error.log
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 85ae71cfd4226a5af93f5650aae6ced34f1b8136) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Sam Lau [Thu, 6 Jun 2024 14:29:54 +0000 (14:29 +0000)]
Bug 37044: Added library branch to SCO OPAC message
This patch simply adds the correct branch at the end of an OPAC message on the SCO page.
To Test:
1) From the staff interface, click on a patron and add an OPAC message
to their account.
2) Log into the SCO with this patron.
(http://localhost:8080/cgi-bin/koha/sco/sco-main.pl)
3) Notice how in the "Messages for you" at the top, you will see the
message, however, at the timestamp, it says something like "Written
on 06/06/2024 by " w/o listing the library that sent it.
4) Apply patch
5) Log back into SCO module
6) Note that now in the message timestamp, it correctly lists the
library that sent the message.
7) Sign-off
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 4801037abe0f8d294eb03503c2b5a275ed06f62a) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit da490f117af20f4307d2c62e01bc1db7bc0b7695) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit b70ac8205a89154565302d76e308b440c060f328) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Eric Garcia [Tue, 25 Jun 2024 17:18:13 +0000 (17:18 +0000)]
Bug 35240: Add missing IDs to input
1. Tools -> Rotating collections -> Edit collection
2. Use browser dev tools to notice that the inputs don't have matching
IDs
3. Apply patch
4. Do step 2 again and notice IDs are no longer missing.
5. Sign off :)
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 21a66bf17c867734271e57c9f06b0b3e619d9ff0) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 27cbe1d0cf85a79ac57505452189d025f5841437) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 87a5eb7f17abf5b9c413f27303cba9ed92b0187e) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Nick Clemens [Wed, 8 May 2024 13:22:58 +0000 (13:22 +0000)]
Bug 34444: [22.11.x] Correct handling of sort1 and sort2 values
Removed extraneous sort_1 data elements
Update selectors to use field names for statistics field
Updated code to set the value after finding the correct selector
To test:
* Make sure you have at least 2 funds with different stat settings, using AV and not
* Create a basket with an order line
* Close it and receive shipment
* Create an invoice and receive the order line
* Finish receiving
* Click "Modify fund"
* Switch fund, verify the stat fields are updated accordingly
* Change values for statistical values
* Update fund
* Edit fund again, pull downs are correct
* Change values in form and close, do not update
* Click 'Modify fund' - confrim form is filled with the saved values
Marion Durand [Wed, 6 Oct 2021 12:49:58 +0000 (14:49 +0200)]
Bug 25387: Warn when merging different authority types
Merging two different authorities types can result in the loss of some
field. This patch adds a warning when merging different type of
authorities and add more display of authorities types during merge.
To test:
1- Find two authorities you what to merge. Be sure that these
authorities have different type
2- Search for these authorities (be sure to have both results on the
results page)
3- For the first authority click on "Actions" then on "Merge", same for
the second one
4- Check that koha is asking you to choose a framework and that
authority types are not displayed
5- Choose a framework, then click on next
6- Check that the authority type is not displayed in the tabs and that
no warning appear
7- Apply the patch
8- Repeat step 1 to 3 again
9- Check that authority type is now displayed next to their ID
10- Repeate setp 5 again
11- Check that the authority types is now displayed in the tabs next to
their ID and that a warning appear
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit b2ae5380b0741e1d2277a58f264df88f243ecadb) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8e7ea9baafcba3e02a4c13ba707b4f45abf5c695) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 7ea807117eef9b7cfd83036cfe9e66c21e5c6273) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 30493: Pending archived suggestions appear on intranet home page
If suggestions are archived before their status is changed to something other than "Pending", they still appear on the intranet home page and the acquisitions home page as suggestions to be managed.
WITHOUT PATCH:
1. Go to Acquisitions > Suggestions
2. Click on New purchase suggestion
3. Fill in the form (title only is fine)
4. Click on Submit your suggestion
5. Go to the home page (click the Koha logo)
--> Notice it says that there is 1 pending suggestion
6. Go to Acquisitions
--> Notice it says that there is 1 pending suggestion
7. Go to Suggestions
8. Click on the up arrow to the right of the Edit button and choose Archive
--> There are no more pending suggestions
9. Go to the home page (click the Koha logo)
--> Notice it says that there is 1 pending suggestion
10. Go to Acquisitions
--> Notice it says that there is 1 pending suggestion
The search function was fetching suggestions without considering the
"archived" field. I now pick only suggestion that are pending AND not
archived.
WITH PATCH:
9. Go to the home page (click the Koha logo)
--> Notice it says that there is no pending suggestion
10. Go to Acquisitions
--> Notice it says that there is no pending suggestion
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e87f4cd550e60d7955551abf44f4dd9c1fd332d5) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 5db98bbd65bc0498bbb916c148076b258e5135ad) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 619db47e3fe3b590f85643840e49770acf2f7149) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Brendan Lawlor [Thu, 6 Jun 2024 13:14:43 +0000 (13:14 +0000)]
Bug 35294: Fix typos in catalogue code comments
Test plan:
1. git grep -n -E 'barocode|preproccess' to find the files and line # of typos
2. Apply the patch
3. git grep -E 'barocode|proccess'
4. See no results
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e8ef0f9417588345d6c9f7e2e5986e4e53986f52) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 96097d8058f6de34036fc4b26dec83c485ed08d9) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e471583547d42555f73ed2013ebe2883460ef460) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Janusz Kaczmarek [Wed, 22 May 2024 21:08:35 +0000 (21:08 +0000)]
Bug 36930: Item search gives irrelevant results when using 2+ added filter criteria
In the Item search the librarian is allowed, in the first step, to define
additional filters like Title, Author, Publisher, Publication date etc.
(in the third fieldset). This works fine but only for one criterion.
If one adds two or more criteria, the filter does not apply at all.
Test plan
=========
1. Make an Item search with the Pulblisher filter. Put
%University of California% as the value.
You should get 5 rows (with standard ktd test data set), three
from 1982, and two from 1988.
2. Edit search -> add the second criterion: AND Publication date is 1982.
You would expect three rows but you get 900+ rows.
3. Apply the patch; restart_all.
4. Repeat p. 2. You should get the expected three rows.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit bdc7ac2c93f9af9ac196c77da47758a1078c47d7) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit dca760d5b24428143a0e0de7b52c131c813488fc) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit fc8c2ac8c1c8cf01d43d7b7363cb53237bd361bf) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Matt Blenkinsop [Thu, 23 May 2024 09:23:10 +0000 (09:23 +0000)]
Bug 36937: Remove warning from unit tests
This patch fixes a warning in the unit tests
Test plan:
1) prove t/db_dependent/api/v1/password_validation.t
2) There will be a warning in the output - 'Use of uninitialized value $status in numeric eq (==)'
3) Apply patch
4) Re-run the test
5) The warning will disappear
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 0af87f009f5e66ee82ea33767489ef4158820377) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
David Nind [Mon, 3 Jun 2024 02:01:30 +0000 (02:01 +0000)]
Bug 30715: Terminology for the log viewer - use 'Staff interface' instead of 'Intranet'
The log viewer (Tools > Additional tools > Log viewer) uses
'Intranet' as:
- an option for filtering what log entries to display.
- a value in the log entries interface column, for log entries.
Koha's terminology guideline is to use 'Staff interface' instead of
'Interface' (https://wiki.koha-community.org/wiki/Terminology#I).
Test plan:
1. Perform some actions that will create log entries when using the
staff interface. For example:
1.1 Enable the UseRecalls system preference.
1.2 Edit the title for a record.
1.3 Add an item for a record.
2. Use the log viewer to view the logged changes:
2.1 Go to Tools > Additional tools > Log viewer.
2.2 Select Submit.
2.3 Log entries are displayed for the changes made.
3. Note that:
3.1 For the log viewer 'Interface' filter options, "All" is
selected by default, and other options are Intranet, OPAC,
SIP, Command-line, REST API, and Cron job.
3.2 For the changes viewed in step 2, the value displayed in
the 'Interface' column is 'Intranet'.
4. Apply the patch.
5. Refresh the page.
6. Note that:
5.1 For the interface filter options, 'Intranet' is now changed
to 'Staff interface'.
5.2 In the list of log entries, the value in the interface column
is now 'Staff interface'.
7. Sign off D:
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit ec8465eb1021537ca3f09d0db423e605acd868db) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch moves the error check right before the ->check_columns call.
This is how main and 24.05 behave. 23.11 doesn't have bug 35907
backported so things are not exactly the same. With this patch tests
pass and the only difference in behavior is logging.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Nick Clemens [Mon, 12 Aug 2024 12:10:12 +0000 (12:10 +0000)]
Bug 37508: Don't return Internal server error when running report
To test:
1 - Create a report like:
SELECT "a"
FROM borrowers
WHERE <<Test>> != ''
2 - Run report
3 - Enter "password"
4 - Internal server error / stacktrace
5 - Apply patch
6 - Repeat
7 - Get a yellow warning box
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Wed, 7 Aug 2024 01:15:10 +0000 (01:15 +0000)]
Bug 37508: Test for errors when returning an aliased password column
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 37508: Throw error if password column is detected in SQL report
This enhancement prevents SQL queries from being run if they would return a password field from the database table.
To test:
1. Run tests and notice they fail t/db_dependent/Reports/Guided.t
2. Apply patch and restart services
3. Create a public report with an SQL report which would access a password column in a database table
4. Try to run the report. Notice you are met with an error and the results are not shown.
5. Access the JSON URL, you should not get the results and should be shown an error
6. Confirm tests pass t/db_dependent/Reports/Guided.t
Sponsored-by: Reserve Bank of New Zealand Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 37370: Return 400 if OpacExportOptions does not contain the passed format
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Thu, 25 Jul 2024 06:44:37 +0000 (06:44 +0000)]
Bug 37466: Add correct filter for sort_by in results.tt
This patch replaces the $raw filter with the correct uri filter
for the sort_by in results.tt
Test plan:
1. Apply patch
2. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=1
3. Click on "Edit this search"
4. Note that the "Popularity (most to least)" Sort by option is selected
5. Go to /cgi-bin/koha/catalogue/search.pl?count=20&sort_by=popularity_dsc&idx=kw&q=24y24ty2498294t9824yt9y23
6. Click on "Edit this search"
7. Note that the "Popularity (most to least)" Sort by option is selected
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Thu, 25 Jul 2024 06:56:18 +0000 (06:56 +0000)]
Bug 37464: Validate "type" sent to barcode/svc
This change validates the "type" sent to the barcode/svc. Without this
change, we pass the user input directly to GD::Barcode, which passes
the input into an eval{} block without any validation of its own.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=bad&barcode=123456
3. Note that a Code39 barcode is provided for an invalid type
4. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=Code39&barcode=123456
5. Note that a Code39 barcode is provided
6. Go to http://localhost:8081/cgi-bin/koha/svc/barcode?type=UPCE&barcode=123456
7. Note that a non-Code39 barcode is provided (presumably UPCE)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Fri, 26 Jul 2024 04:01:43 +0000 (04:01 +0000)]
Bug 37488: Validate paths in datalink.txt/idlink.txt files
This change validates the paths in datalink.txt/idlink.txt,
so that only images in the unpacked archive directory are allowed
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Create a datalink.txt file with the following:
42,selfie.jpg
3. Create a jpeg at selfie.jpg
4. ZIP the datalink.txt and selfie.jpg files
5. Upload to the "Upload patron images" tool
(after enabling the "patronimages" system preference)
6. Note that the image uploads correctly
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
David Cook [Fri, 26 Jul 2024 03:27:22 +0000 (03:27 +0000)]
Bug 37323: Tidy
Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Chris Cormack [Thu, 18 Jul 2024 23:57:32 +0000 (23:57 +0000)]
Bug 37323: Don't allow symlinks in link files in zip and validate filepaths
Test plan:
0. Apply patch and restart/reload Koha
1. Test that uploading a patron image still works, in single file format and as a zip
Work as suggested
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Amit Gupta [Thu, 11 Jul 2024 17:43:06 +0000 (23:13 +0530)]
Bug 37323: Escape characters in patron image picture upload
To Test
1. Create a file name for example: test.zip`curl xxxxtesting.informaticsglobal.com`.zip
where the domain is one you can watch the logs from.
2. Go to Tools and click on Upload patron images choose option zip file and upload the file.
3. Check /var/log/apache2/access.log and see the curl with the IP
"xx.xxx.xx.xxx - - [11/Jul/2024:23:10:33 +0530] "GET / HTTP/1.1" 200 267 "-" "curl/7.68.0"
4. Apply the patch
5. Repeat 2 and 3 step and check no error is coming for the Remote execution error.
6. Test uploading actual zip file and images still works.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 37255: Fix handling of "All" values on waiting hold cancellation policy
If one creates a default waiting hold cancellation policy with
patron categories set as "All" and itemtype set as "All", Koha
breaks on 500 error. This happens because in we try to match
template policy with "All" values either in category or itemtype
with *, not undef. This patch fixes this.
To test:
1. Create a new default waiting hold cancellation policy and
set both patron category and itemtype as "All".
2. Save policy.
=> Error page for error 500 is displayed.
3. Apply this patch.
4. Reload page.
=> Page is displayed and policy listing displays new policy
as it should.
Sponsored-by: Koha-Suomi Oy Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Hammat Wele [Thu, 27 Jun 2024 14:09:04 +0000 (14:09 +0000)]
Bug 37210: Escape single quote in search string in overdue.pl
To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
==> it doesn't take 10 seconds, the injected sql is not executed
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit a4a7ed7a151582eff2a46ee1e8f85d4533f69def) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37018: Add 400 response definition to all routes
This patch adds a test for well defined 400 responses on all verbs and
paths on the API spec.
The tests verify:
* Presence of 400 response definition
* The description must start with 'Bad request' (needs coding guideline)
* If DBIC queries are allowed on the route, then `invalid_query` needs
to be mentioned in the description.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 10 Jul 2024 08:39:33 +0000 (09:39 +0100)]
Bug 37018: Clarify operators
This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 534e7bf44a3667046793c07a9f17a4bcc13a3b74) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e1f52ff212f65d174604c6d180ab40ed16330883) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37018: Handle exception in unhandled_exception() helper
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 58677f8e2e180342ce813506cb63bb81cb58804d) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37018: (follow-up) adding some allowed operators
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 5cb4c9c18f1e3d1894c84a4af2fdca03e3e0d69e) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 5 Jun 2024 13:20:22 +0000 (14:20 +0100)]
Bug 37018: Use validation in search_rs helper
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e75c94184f16fb556dab9dfbfb2f50f5f78bd91f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 5 Jun 2024 13:19:54 +0000 (14:19 +0100)]
Bug 37018: Add validation method to Koha::REST::Plugin::Query.pm
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 907510b076d0a5d9332d90041963d16e63decd81) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 8c63713497d86ac985734d18ea0acd86a4d45abf) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 5 Jun 2024 13:19:06 +0000 (14:19 +0100)]
Bug 37018: Unit tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit f4cab95872351c01aa53e08fb2305ae587c03df7) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch adds regression tests. With the current codebase, the
malicious query returns a 200. It should be caught and a 400 needs to be
returned.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/api/v1/query.t
=> FAIL: It returns a 200
3. Once the rest of the patches are ready, repeat 2
=> SUCCESS: It returns a 400
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 1fd94e90bcc74fe5f312ec0bf69850f96e4789ba) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 5 Jul 2024 12:47:42 +0000 (14:47 +0200)]
Bug 37247: Fix display of "closed"
The subscription was not shown as closed after we closed it.
This is because "closed" is not passed to the template.
It seems more reliable to rely on the subscription object (that is passed to both
serials/serials-collection.tt and serials/subscription-detail.tt, the
others are not showing the Reopen/Close buttons)
Also fetch the subscription object after and reopen/close it to display
accurate values.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 3cf17aa16f70e978f654345274972b65ca7b6164) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37247: Fix subscriptions operation allowed without authentication
Move close and reopen after get_template_and_user().
Also move Koha::Subscriptions->find(), not a good idea to run DB queries
before authentication.
Test plan :
1) Apply patch
2) Authenticate to staff interface
3) Go to an existing open subscription
4) Open a new browser tab and use it to log-out
5) Go to first tab and click on 'Close'
6) You get login page
7) Authenticate
8) Check subscription is not closed
9) Check you can close and reopen subscription
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 42c2dd78ef52ec00afd6307ef179c491615c7085) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
projects / koha.git / log