From c69a364e4b1ceb34ba837bc4441a95db89491e7c Mon Sep 17 00:00:00 2001 From: Jared Camins-Esakov Date: Mon, 15 Oct 2012 11:58:30 -0400 Subject: [PATCH] Bug 3652: close XSS vulnerabilities in opac-export The opac-export.pl script had a number of XSS vulnerabilities relating to its error handling. To test: 1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=

evil

(substituting a valid biblionumber for the '2') 2) Notice that "evil" is rendered as an h2 heading. 3) Apply patch. 4) Notice that you now see the h2 tags, and they are not rendered by the browser. Signed-off-by: Chris Cormack --- opac/opac-export.pl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/opac/opac-export.pl b/opac/opac-export.pl index fb8dee7a1e..002c88e4ec 100755 --- a/opac/opac-export.pl +++ b/opac/opac-export.pl @@ -32,6 +32,7 @@ my $query = new CGI; my $op=$query->param("op")||''; #op=export is currently the only use my $format=$query->param("format")||'utf8'; my $biblionumber = $query->param("bib")||0; +$biblionumber = int($biblionumber); my ($marc, $error)= ('',''); $marc = GetMarcBiblio($biblionumber, 1) if $biblionumber; @@ -41,18 +42,23 @@ if(!$marc) { } elsif ($format =~ /endnote/) { $marc = marc2endnote($marc); + $format = 'endnote'; } elsif ($format =~ /marcxml/) { $marc = marc2marcxml($marc); + $format = 'marcxml'; } elsif ($format=~ /mods/) { $marc = marc2modsxml($marc); + $format = 'mods'; } elsif ($format =~ /ris/) { $marc = marc2ris($marc); + $format = 'ris'; } elsif ($format =~ /bibtex/) { $marc = marc2bibtex(C4::Biblio::GetMarcBiblio($biblionumber),$biblionumber); + $format = 'bibtex'; } elsif ($format =~ /dc/) { ($error,$marc) = marc2dcxml($marc,1); @@ -61,14 +67,17 @@ elsif ($format =~ /dc/) { elsif ($format =~ /marc8/) { ($error,$marc) = changeEncoding($marc,"MARC","MARC21","MARC-8"); $marc = $marc->as_usmarc() unless $error; + $format = 'marc8'; } elsif ($format =~ /utf8/) { C4::Charset::SetUTF8Flag($marc,1); $marc = $marc->as_usmarc(); + $format = 'utf8'; } elsif ($format =~ /marcstd/) { C4::Charset::SetUTF8Flag($marc,1); ($error,$marc) = marc2marc($marc, 'marcstd', C4::Context->preference('marcflavour')); + $format = 'marcstd'; } else { $error= "Format $format is not supported."; @@ -78,7 +87,7 @@ if ($error){ print $query->header(); print $query->start_html(); print "

An error occurred

"; - print $error; + print $query->escapeHTML("$error"); print $query->end_html(); } else { -- 2.39.5