From c74169ba27c2e12473239b15358e428bc05da9f5 Mon Sep 17 00:00:00 2001 From: Janusz Kaczmarek Date: Mon, 6 May 2024 13:24:10 +0000 Subject: [PATCH] Bug 36794: Illegitimate modification of biblionumber subfield content (999 $c) It happens that librarians, by mistake, open a biblio editor putting in the URL, by hand, the biblionumber prefixed with a blank (e.g. .../addbiblio.pl?biblionumber= 123 -- mind the space before 123). In such a case the editor opens with the right biblio record (i.e. 123) but, after saving the record, the content of the biblionumber MARC field (999 $c for a standard MARC 21 installation) results modified and contains additional initial blanks. Moreover, while using ES and making a search for the record (with title, author etc.) we get two records on the result list (instead of one). This is because in the addbiblio.pl script $biblionumber is taken (and continuously used) directly from CGI parameter, without any validation and/or correction. Test plan: ========== 0. Have a test installation with ES. 1. Open a biblio record in the editor with an added space before biblionumber value, e.g.: http://ktd:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber= 123 Save the record. 2. From the Normal view choose Save -> MARCXML. Open the saved file in your favourite editor. You should see, at the end, something like: 123 (mind the space before 123). This is not right. 3. Make a search with the title or author's name from the record (e.g. Henning Mankell for the record 123 from the default ktd data set). You should get two records instead of one (while using ES). 4. Apply the patch, restart_all. Repeat p. 1 and 2 with a different biblionumber. Notice the unchanged (i.e. without spaces) value of 999 $c subfield in the exported record and only one record as a result of a search. WNC amended patch - rebased, added conditional in case no bib, moved comments to their own lines Sponsored-by: Ignatianum University in Cracow Signed-off-by: Roman Dolny Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer --- Koha/UI/Form/Builder/Biblio.pm | 4 +++- cataloguing/addbiblio.pl | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Koha/UI/Form/Builder/Biblio.pm b/Koha/UI/Form/Builder/Biblio.pm index 340b27b27d..66b4002e81 100644 --- a/Koha/UI/Form/Builder/Biblio.pm +++ b/Koha/UI/Form/Builder/Biblio.pm @@ -49,7 +49,9 @@ sub new { my ( $class, $params ) = @_; my $self = {}; - $self->{biblionumber} = $params->{biblionumber}; + + $self->{biblionumber} = $params->{biblionumber} =~ s/\D//gr; + # just in case biblionumber obtained from CGI and passed directly here contains weird characters like spaces bless $self, $class; return $self; diff --git a/cataloguing/addbiblio.pl b/cataloguing/addbiblio.pl index 97ecddd5e5..99c20580b5 100755 --- a/cataloguing/addbiblio.pl +++ b/cataloguing/addbiblio.pl @@ -547,6 +547,8 @@ if ($biblionumber) { $biblio = Koha::Biblios->find($biblionumber); + # just in case $biblionumber obtained from CGI contains weird characters like spaces + $biblionumber = $biblio->biblionumber if $biblio; if ($biblio) { unless ( $biblio->can_be_edited($logged_in_patron) ) { print $input->redirect("/cgi-bin/koha/errors/403.pl"); # escape early -- 2.20.1