From 4452036d1c100910c17a7ac7ac54cb83c0120620 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Fri, 27 Mar 2020 18:16:58 -0300 Subject: [PATCH] Bug 25009: Avoid leakages in opac-showmarc.pl This patch cleans opac-showmarc.pl so it doesn't allow retrieving records from import batches without requiring any permissions in the OPAC. it does so by just removing the code portion that does that. It also cleans the record fetch operation and how the record processor is initialized to it actually works :-D To test: 1. Perform a successful Z39.50 search in cataloguing (this fetches 20 records usually) 2. Query your DB for a valid import_record_id: $ koha-mysql kohadev > SELECT * FROM import_records LIMIT 1; 3. Notice some of the MARCXML details (title, author, etc), and the import_record_id 4. Point your browser to the opac-showmarc.pl URL like this: http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20 => FAIL: You get the record! (Bonus: no field/subfield takes place) 5. Hide some obvious subfield on the framework for a known (to you) biblionumber 6. Point your browser to: http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id= => FAIL: No filtering takes place 7. Apply this patch 8. Repeat 4 => SUCCESS: You get an error because you did a bad request (no id param) 9. Repeat 6 => SUCCESS: Subfield filtering actually works! 10. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Martin Renvoize --- opac/opac-showmarc.pl | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/opac/opac-showmarc.pl b/opac/opac-showmarc.pl index 232eac50a8..a8b5849dd3 100755 --- a/opac/opac-showmarc.pl +++ b/opac/opac-showmarc.pl @@ -41,27 +41,36 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user({ authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ), debug => 1, }); -my $biblionumber = $input->param('id'); -$biblionumber = int($biblionumber); -my $importid= $input->param('importid'); -my $view= $input->param('viewas') || 'marc'; -my $record_processor = Koha::RecordProcessor->new({ filters => 'ViewPolicy' }); +my $biblionumber = $input->param('id'); -my $record; -if ($importid) { - my ($marc) = GetImportRecordMarc($importid); - $record = MARC::Record->new_from_usmarc($marc); +unless ( $biblionumber ) { + print $input->redirect("/cgi-bin/koha/errors/400.pl"); + exit; } -else { - $record = GetMarcBiblio({ biblionumber => $biblionumber }); - my $framework = GetFrameworkCode($biblionumber); - $record_processor->options({ - interface => 'opac', - frameworkcode => $framework - }); + +my $biblio; +$biblio = Koha::Biblios->find( $biblionumber, { prefetch => [ 'metadata' ] } ); + +unless ( $biblio ) { + print $input->redirect('/cgi-bin/koha/errors/404.pl'); + exit; } +my $view= $input->param('viewas') || 'marc'; + +my $record_processor = Koha::RecordProcessor->new( + { + filters => 'ViewPolicy', + options => { + interface => 'opac', + frameworkcode => $biblio->frameworkcode + } + } +); + +my $record = $biblio->metadata->record; + if(!ref $record) { print $input->redirect("/cgi-bin/koha/errors/404.pl"); exit; -- 2.39.5