From ed1c3b53b0b4986848ff1c1ac8bb2c2773856269 Mon Sep 17 00:00:00 2001
From: Chris Cormack <chris@bigballofwax.co.nz>
Date: Mon, 13 May 2024 02:26:13 +0000
Subject: [PATCH] Bug 36520: Sanitize input in opac-sendbasket.pl

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 opac/opac-sendbasket.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl
index 75ddd3dc2c..b22b2307f9 100755
--- a/opac/opac-sendbasket.pl
+++ b/opac/opac-sendbasket.pl
@@ -77,6 +77,7 @@ if ( $email_add ) {
     foreach my $biblionumber (@bibs) {
         $template2->param( biblionumber => $biblionumber );
 
+        $biblionumber = int($biblionumber);
         my $biblio           = Koha::Biblios->find( $biblionumber ) or next;
         my $dat              = $biblio->unblessed;
         my $record           = GetMarcBiblio({
-- 
2.39.5