Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit b0f60221f41041665c4fecacce35654fc8d45a01)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Owen Leonard [Fri, 18 Feb 2011 23:43:08 +0000 (18:43 -0500)]
Fix for Bug 5776 - menu on funds wraps when only 1 fund
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit a0367aa973ad61eda090d743cccd9cf387dfcc09)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Paul Poulain [Wed, 15 Dec 2010 19:29:50 +0000 (20:29 +0100)]
NormalizeString POD Fixing and variable renaming
POD was mistakenly telling that NFD was supposed to be the default
encoding. In fact, it is not, it is NFC.
So the variable $nfc to change to the not default encoding was misleading.
Renaming it into $nfd
Marcel de Rooy [Mon, 14 Feb 2011 16:24:18 +0000 (16:24 +0000)]
Follow up on 5736: fix authorities record.abs
Follow up on 5736: Same problem with 100 and 100a in authorities/record.abs
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit a33109f523b45e248e9f8a327cc165cfd97bdc27)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Marcel de Rooy [Thu, 10 Feb 2011 17:30:31 +0000 (17:30 +0000)]
Bug 5735: Expanding/collapsing cloned fields in editor takes original field
Adds corrected onclick response for expanding marc tags.
Removes some lines that did not work as promised.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit af1009da3d155b717b9c517a2992000e5f39eb94)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Frédéric Demians [Thu, 10 Feb 2011 17:42:53 +0000 (17:42 +0000)]
Bug 5727 Warning in log due to XSLT.pm
XSLT.pm add few syspref to MARCXML record send to be transformed by XSLT. If
one of those syspref doesn't exist, it generated a warning.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit bfec5ef4c1d16b3dc4cccd3982883a21b09955a6)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
D Ruth Bavousett [Fri, 11 Feb 2011 01:22:27 +0000 (20:22 -0500)]
Bug 5230: Call number ranges in export don't give expected results.
If you entered low number and high number, you got only items that *exactly* matched either entry (if any).
If you enter only a low number, you got everying *lower* than that.
If you enter only a high number, you get everything *higher* than that.
This was a greater-than-less-than problem.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 050466ce2bfbb06108c32ca388a7acca3dca2e4c)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Katrin Fischer [Fri, 11 Feb 2011 23:53:53 +0000 (18:53 -0500)]
Make 'about' show D Ruth Bavousett's name change
Signed-off-by: D Ruth Bavousett <ruth@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit f889cbaa25680d482c5a0666ee26984eef046083)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Liz Rea [Fri, 11 Feb 2011 23:54:40 +0000 (18:54 -0500)]
Correcting the name of one of the developers. :)
Signed-off-by: D Ruth Bavousett <ruth@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit f486e85c5b9bb0fe8b38987ccfe0a494ff45cefe)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Owen Leonard [Wed, 9 Feb 2011 01:58:14 +0000 (20:58 -0500)]
Fix for Bug 5716 - Whitespace correction for browse shelf
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit d7208f76bda9073df0452b85a7aa7e3649f20d0b)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Katrin Fischer [Sat, 11 Dec 2010 20:43:57 +0000 (21:43 +0100)]
Bug 3009 - Change items.content field so it prints due date by default
<items.content> in overdue notices prints issuedate instead of duedate by default.
This patch changes default to issues.date_due.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 224d2dee90237670672a7f2b212d5333852dd41f)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
koha-preprod [Tue, 8 Feb 2011 14:14:36 +0000 (09:14 -0500)]
Add markers to text in Javascript variable in order to be translate.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit de491849ac3565aab985efe7ff6bd26e45977ae8)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
koha-preprod [Tue, 8 Feb 2011 14:28:41 +0000 (09:28 -0500)]
Bug 5629 : Adding an HTML anchor in the link in order to choose the right tab when we click on the link
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit b5c58f964a9f36b70d56d2ca9be6ffaf6a14605d)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Brice Sanchez [Tue, 8 Feb 2011 13:59:45 +0000 (08:59 -0500)]
Bug 5702 : Adding if statement condition to highlight toggle
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 02824a0b08fd2178fa970277b0fe636c7ed3d1b9)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Bug 5616: Corrects an utf-8 encoding problem in cardviews
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 07731037ee453fe3537c257b07be9c49b66e8ced)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Paul Poulain [Wed, 15 Dec 2010 19:38:23 +0000 (20:38 +0100)]
Bug 5700: MT4004 : additem.pl Some Status were not defaulted to the correct value Status 0 was lost because test was done on value and not on the fact that a value was defined or not. when value is 0 then it was not used as default value for
Now if IndependantBranches is on and a user try to delete all items, only the items of his branch will be deleted.
A message explain this fact.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Followup: (MT #1365) Fixing up the English idiom Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit a4cc394508182f292b4767504dfbac882744c3df)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Owen Leonard [Thu, 3 Feb 2011 23:53:15 +0000 (18:53 -0500)]
Fix for Bug 5532 - sysprefs editor should show names of saved prefs
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 7acfb3a17f9ab592b385b032c93c96d6894ff821)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Owen Leonard [Thu, 3 Feb 2011 22:36:05 +0000 (17:36 -0500)]
Fix for Bug 5689 - System preference notifications are not translatable
Defining strings in the template so that they can be translated.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit aac253a5e0192b14dfa23e34c76629020c392bca)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Owen Leonard [Thu, 3 Feb 2011 23:47:35 +0000 (18:47 -0500)]
Fix for Bug 5115, Tags JavaScript includes many untranslatable strings
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit dec6be9148ec28b240015762cdeb7019fbfadeb6)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
MT3947: items.timestamp were not updated on edition
If items.timestamp is used in the framework and hidden
the fact that it is NOT deleted before update is done would input the previous timestamp,
which is not the desired behaviour.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 60dd25b5c230249581a9736458aad4bad783dd52)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Owen Leonard [Tue, 17 Aug 2010 16:58:33 +0000 (12:58 -0400)]
Fix for Bug 3319 - Need error message when adding patron and libraries are defined
- Hiding patron add toolbar when branches or categories are undefined
- Blocking patron entry form if branches or categories are undefined
- Removing nonfunctional template logic for displaying missing category
error message.
Bug 3212 Force leader 9 position to 'a' for new biblios
When Creating a new biblio record, if the cataloguer doesn't use the leader
plugin, a biblio record can be saved with a leader not containing a 'a' in 9
position. If the biblio contains UTF-8 characters, its decoding can fail.
Colin Campbell [Mon, 31 Jan 2011 16:19:49 +0000 (16:19 +0000)]
Bug 5673: test guarantorid consistently
Incorrect checking of guarantorid was causing moremember.pl to
try and construct addresses using data from non-existent guarantors
ensure that test is consistently checking that value is defined and not
'', '0' or 0 [ i.e. what perl does for you anyway!!]
Ian Walls [Mon, 31 Jan 2011 02:43:55 +0000 (21:43 -0500)]
Bug 2341: items marked 'on order' not reserveable from search results
Items created as part of the acquisitions process, and assigned the temporary notforloan value of -1,
cannot be placed on hold from the search results in either the OPAC or staff client (the link is missing).
This patch changes the evaluation of items->notforloan from a Boolean (if $items->{notforloan}) to a comparison
(if $items->{notforloan} > 0). Any notforloan status with a negative value can therefore be reserved.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit f692123bf1b2b843d348a897852018caa04de76f)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Previous bug4263 reintroduced bug 2466: fix clearing item field
This keeps bug4263 followup to be assigned (donot blank dateaccessioned)
But also allow to blank item subfields.
(bug #4263) fix the edition of items with repeatable subfields
The subfield management in item level is broken, fields are concatenated in one field, and if the librarian edit it, the values are not selected.
This big patch fix three things:
1) saving fields that are stocked in SQL(using koha2marc mapping) are now well cut and separated in _REAL_ subfields
2) loading records with repeatable subfields are now well returned
3) Editing items with repeatable fields works well
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Bug 4263 Removing extranious block of code Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit aa398ed055a7226ba02d6559b297cb172b3ce3df)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
(bug #4931) add the ability to choose home or holding branch in stocktaking
This add radio box in stocktaking to base it on home or holdingbranch
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Bug 4391 Followup: Adding back lost declaration of $branchcode Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 35b47b6ff71ea2bcfc699ec35132756d01bfadd3)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Bug 5661 Fix a problem when doing an authority search with no sort order
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 079796ed189541a0f04126c97e97cad50fb18783)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Paul Poulain [Wed, 15 Dec 2010 19:28:03 +0000 (20:28 +0100)]
Bug 5681: Fixes leading zeroes in Add Mulpiple Copies
From Biblibre:
I don't know why, but removing sprintf solves the problems with leading zeroes
and the problems with large values.
(written by jean-andré santoni)
Note from Chris:
The width is never set, so the sprintf always defaults to a float, which
trims the leading zeros. I am not smart enough to figure out how to set
a valid width when calling it, and removing the sprintf seems to work
See http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5681 for
test results
This patch makes it impossible to save records with variables fields that don't
contain any subfields. Prior to this patch, link_bibs_to_authorities.pl would
sometimes corrupt records.
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 428556cd130db0cfcffd6fe081f32dc1218a904f)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Katrin Fischer [Mon, 31 Jan 2011 20:45:40 +0000 (15:45 -0500)]
Bug 4160: Currency conversion doesn't handle rates other than 100
Changes data type for currency.rate to accomodate bigger currency conversion rates.
FLOAT( 15, 5 )
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Reed Wade [Mon, 31 Jan 2011 10:14:08 +0000 (10:14 +0000)]
Bug 5665: Routing slip prints too wide for narrow printers
This patch switches off some min-width styling which causes right hand
of page to be clipped.
Work sponsored by Opus
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 241fa939b48b2eb7e87360f2e47073df0b64af25)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Robin Sheat [Fri, 28 Jan 2011 19:04:08 +0000 (14:04 -0500)]
Bug 5477 [SIGN-OFF] Fix test cases that require database access
This moves the DB-requiring tests out of the way, with the exception of
00-load.t which is used by the git hooks. For it, it makes it skip
loading problematic modules. This allows 'make test' to complete successfully
without a database configured, wich is a required part of making packages.
This has been tested against the v3.02.03 tag and the master branch.
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 9df2a4a8fc24ebb693ffb80a218b12137f8b282d)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
Ian Walls [Tue, 25 Jan 2011 04:09:39 +0000 (23:09 -0500)]
Bug 5376: Batch Mod and Delete require superlibrarian permissions
This only occurs with IndependantBranches turned on; in an attempt to check that the items being
modified belonged to the user's branch, the code made a simultaneous comparison and assignment,
which is not permitted in all compilations of Perl.
Splitting the assignment of $itembranchcode and the check for its non-null value fixes the problem
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 12c116236f0f686005bbe035659778012bcaf862)
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>