From 4b66fbc4ebc0fe706f9a9b9057a19ee0c1b13aa3 Mon Sep 17 00:00:00 2001 From: Janusz Kaczmarek Date: Tue, 7 May 2024 09:13:54 +0000 Subject: [PATCH] Bug 36799: Illegitimate modification of MARC authid field content (001) It happens that librarians to save time open an authority editor by putting in the URL, by hand, the authid prefixed, by mistake, with a blank (e.g. .../authorities.pl?authid= 100 -- mind the space before 100). In such a case the editor opens with the right auth record (i.e. 100) but, after saving the record, the content of the authid MARC field (001 for a standard MARC 21 installation) results modified and contains additional initial blanks. Moreover, if the heading (1XX field) was modified in the authority record during such an edit, the changes will not propagate to the linked bibliographic records. And won't in the future. This is because in the authorities.pl script $authid is taken (and continuously used) directly from CGI parameter, without any validation and/or correction (line 540 in the current main branch). Test plan: ========== 1. Open an auth record in the editor with an added space before authid value, e.g.: http://ktd:8081/cgi-bin/koha/authorities/detail.pl?authid= 100 Modify the heading field -- in the ktd data set: 150 Computerized typesetting Save the record. 2. a) Open the record for editing again--see the space added before the authid in field 001. Close the editor (with Cancel). b) Try to go to the linked biblio records with Used in X records. Note no results, if using ES. c) Remove the space before authid (after an:) in the URL. Go to the linked biblio records. See that the content of the field controlled by the modified auth record did not update. 3. Apply the patch; restart_all. 4. Repeat p. 1 and 2 with a different authid. Everything should be OK now. Sponsored-by: Ignatianum University in Cracow Signed-off-by: Roman Dolny Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer --- authorities/authorities.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/authorities/authorities.pl b/authorities/authorities.pl index 3b8a235636..ac798354f3 100755 --- a/authorities/authorities.pl +++ b/authorities/authorities.pl @@ -537,7 +537,8 @@ sub build_hidden_data { my $input = CGI->new; my $z3950 = $input->param('z3950'); my $error = $input->param('error'); -my $authid=$input->param('authid'); # if authid exists, it's a modif, not a new authority. +my $authid = $input->param('authid') =~ s/\D//gr + ; # if authid exists, it's a modif, not a new authority. We remove from authid all non-digit characters just in case the CGI parameter contains weird characters like spaces my $op = $input->param('op'); my $nonav = $input->param('nonav'); my $myindex = $input->param('index'); -- 2.39.5