git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Mon, 24 Jul 2023 04:31:15 +0000 (04:31 +0000)
committer	Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
	Thu, 28 Sep 2023 09:18:29 +0000 (09:18 +0000)
commit	9b68554979b46c0f46240840d120078cd17430f2
tree	f43c543fe7be2bfc86045a631f0500ab05281f81	tree \| snapshot
parent	3059919c130021d4b0c9609fa559b212c6ea2544	commit \| diff

Bug 34349: Validate/escape inputs for task scheduler

This change validates and escapes inputs for task scheduler.

Test plan:
0. Apply patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/tools/scheduler.pl
3. Input a time a minute in the future and leave the date blank
4. Choose an existing report and output format
5. Type a malicious string which is also a valid email address
into the Email field
6. Click "Save"
7. Note that the job is added but the Email is wrapped in single
quotes
8. Try using a non-malicious email address with a single quote.
9. Note that the single quote is escaped, so that it will still
be used by runreport.pl

JD amended patch: tidy

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Removed pars for $email =~ regex, removed old commented lines.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit dcd698a4b4ed7f3a714ef35fe83c007fce9d52ae)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>