3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # Koha is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with Koha; if not, see <http://www.gnu.org/licenses>.
20 use Test::More tests => 1;
22 use t::lib::TestBuilder;
34 $ENV{KOHA_INTRANET_URL} || C4::Context->preference("staffClientBaseURL");
35 my $opac = $ENV{KOHA_OPAC_URL} || C4::Context->preference("OPACBaseURL");
37 my $context = C4::Context->new();
38 my $db_name = $context->config("database");
39 my $db_host = $context->config("hostname");
40 my $db_port = $context->config("port") || '';
41 my $db_user = $context->config("user");
42 my $db_passwd = $context->config("pass");
43 `mysqldump --add-drop-table -u $db_user --password="$db_passwd" -h $db_host -P $db_port $db_name > dumpfile.sql`;
45 my $t = Test::Mojo->new();
46 my $schema = Koha::Database->new->schema;
47 my $builder = t::lib::TestBuilder->new;
49 subtest 'open redirection vulnerabilities in tracklinks' => sub {
53 my $biblio = $builder->build_sample_biblio();
54 my $biblionumber1 = $biblio->biblionumber;
56 # Incorrect URI at Biblio level
57 $biblio = $builder->build_sample_biblio();
58 my $biblionumber2 = $biblio->biblionumber;
59 my $record = $biblio->metadata->record;
60 my $new856 = MARC::Field->new( '856', '', '', u => "www.bing.com" );
61 $record->insert_fields_ordered($new856);
62 C4::Biblio::ModBiblio( $record, $biblionumber2 );
65 $biblio = $builder->build_sample_biblio();
66 my $biblionumber3 = $biblio->biblionumber;
67 $record = $biblio->metadata->record;
68 $new856 = MARC::Field->new( '856', '', '', u => "http://www.google.com" );
69 $record->insert_fields_ordered($new856);
70 C4::Biblio::ModBiblio( $record, $biblionumber3 );
73 my $item = $builder->build_sample_item( { uri => 'http://www.google.com' } );
74 my $itemnumber1 = $item->itemnumber;
76 # Incorrect URI at Item level
77 $item = $builder->build_sample_item( { uri => 'www.bing.com ' } );
78 my $itemnumber2 = $item->itemnumber;
81 '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com';
82 my $bad_biblionumber1 =
83 '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
85 my $bad_biblionumber2 =
86 '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
88 my $good_biblionumber =
89 '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber='
92 '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber='
95 '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber='
98 Koha::Caches->flush_L1_caches;
100 C4::Context->set_preference( 'TrackClicks', '' );
101 $t->get_ok( $opac . $no_biblionumber )
102 ->status_is( 404, "404 for no biblionumber" );
103 $t->get_ok( $opac . $bad_biblionumber1 )
104 ->status_is( 404, "404 for biblionumber containing no URI - pref off" );
105 $t->get_ok( $opac . $bad_biblionumber2 )
106 ->status_is( 404, "404 for biblionumber containing different URI - pref off" );
107 $t->get_ok( $opac . $good_biblionumber )
108 ->status_is( 404, "404 for biblionumber with matching URI - pref off" );
109 $t->get_ok( $opac . $bad_itemnumber )
110 ->status_is( 404, "404 for itemnumber containing different URI- pref off" );
111 $t->get_ok( $opac . $good_itemnumber )
112 ->status_is( 404, "404 for itemnumber with matching URI - pref off" );
115 C4::Context->set_preference( 'TrackClicks', 'track' );
116 $t->get_ok( $opac . $no_biblionumber )
117 ->status_is( 404, "404 for no biblionumber" );
118 $t->get_ok( $opac . $bad_biblionumber1 )
119 ->status_is( 404, "404 for biblionumber containing no URI" );
120 $t->get_ok( $opac . $bad_biblionumber2 )
121 ->status_is( 404, "404 for biblionumber containing different URI" );
122 $t->get_ok( $opac . $good_biblionumber )
123 ->status_is( 302, "302 for biblionumber with matching URI" );
124 $t->get_ok( $opac . $bad_itemnumber )
125 ->status_is( 404, "404 for itemnumber containing different URI" );
126 $t->get_ok( $opac . $good_itemnumber )
127 ->status_is( 302, "302 for itemnumber with matching URI" );
130 C4::Context->set_preference( 'TrackClicks', 'anonymous' );
131 $t->get_ok( $opac . $no_biblionumber )
132 ->status_is( 404, "404 for no biblionumber" );
133 $t->get_ok( $opac . $bad_biblionumber1 )
134 ->status_is( 404, "404 for biblionumber containing no URI" );
135 $t->get_ok( $opac . $bad_biblionumber2 )
136 ->status_is( 404, "404 for biblionumber containing different URI" );
137 $t->get_ok( $opac . $good_biblionumber )
138 ->status_is( 302, "302 for biblionumber with matching URI" );
139 $t->get_ok( $opac . $bad_itemnumber )
140 ->status_is( 404, "404 for itemnumber containing different URI" );
141 $t->get_ok( $opac . $good_itemnumber )
142 ->status_is( 302, "302 for itemnumber with matching URI" );
145 `mysql -u $db_user --password="$db_passwd" -h $db_host -P $db_port --database="$db_name" < dumpfile.sql`;