From 5f37d8d2f496ce3c9fd6dfd5a2efa7a9fe435af3 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Wed, 1 Sep 2021 16:04:31 +0200 Subject: [PATCH] Bug 28935: No filtering on patron's data on member entry pages Security patch. Follow-up for 28929. Including correction for gonenoaddress and two others. Includes unwanted fields too now. Signed-off-by: Owen Leonard Signed-off-by: Nick Clemens Signed-off-by: Jonathan Druart --- members/memberentry.pl | 5 +++-- opac/opac-memberentry.pl | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/members/memberentry.pl b/members/memberentry.pl index c7082a8746..9a30732bc3 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -215,7 +215,7 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' ) # remove keys from %newdata that is not part of patron's attributes { my @keys_to_delete = ( - qr/^flags$/, + qr/^(borrowernumber|date_renewed|debarred|debarredcomment|flags|privacy|privacy_guarantor_fines|privacy_guarantor_checkouts|checkprevcheckout|updated_on|lastseen|lang|login_attempts|overdrive_auth_token|anonymized)$/, # Bug 28935 qr/^BorrowerMandatoryField$/, qr/^category_type$/, qr/^check_member$/, @@ -242,6 +242,7 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' ) qr/^guarantor_surname$/, qr/^delete_guarantor$/, ); + push @keys_to_delete, map { qr/^$_$/ } split( /\s*\|\s*/, C4::Context->preference('PatronSelfRegistrationBorrowerUnwantedField') || q{} ); for my $regexp (@keys_to_delete) { for (keys %newdata) { delete($newdata{$_}) if /$regexp/; @@ -323,7 +324,7 @@ if ($op eq 'save' || $op eq 'insert'){ # If the cardnumber is blank, treat it as null. $newdata{'cardnumber'} = undef if $newdata{'cardnumber'} =~ /^\s*$/; - if (my $error_code = checkcardnumber($newdata{cardnumber},$newdata{borrowernumber})){ + if (my $error_code = checkcardnumber( $newdata{cardnumber}, $borrowernumber )){ push @errors, $error_code == 1 ? 'ERROR_cardnumber_already_exists' : $error_code == 2 diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index cad1e867a4..3dc850a174 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -522,7 +522,10 @@ sub ParseCgiForBorrower { # Replace checkbox 'agreed' by datetime in gdpr_proc_consent $borrower{gdpr_proc_consent} = dt_from_string if $borrower{gdpr_proc_consent} && $borrower{gdpr_proc_consent} eq 'agreed'; - delete $borrower{flags}; + delete $borrower{$_} for qw/borrowernumber date_renewed debarred debarredcomment flags privacy privacy_guarantor_fines privacy_guarantor_checkouts checkprevcheckout updated_on lastseen lang login_attempts overdrive_auth_token anonymized/; # See also members/memberentry.pl + delete $borrower{$_} for qw/dateenrolled dateexpiry borrowernotes opacnote sort1 sort2 sms_provider_id autorenew_checkouts gonenoaddress lost relationship/; # On OPAC only + delete $borrower{$_} for split( /\s*\|\s*/, C4::Context->preference('PatronSelfRegistrationBorrowerUnwantedField') || q{} ); + return %borrower; } -- 2.39.5