Hammat Wele [Thu, 27 Jun 2024 14:09:04 +0000 (14:09 +0000)]
Bug 37210: Escape single quote in search string in overdue.pl
To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
==> it doesn't take 10 seconds, the injected sql is not executed
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit a4a7ed7a151582eff2a46ee1e8f85d4533f69def) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37018: Add 400 response definition to all routes
This patch adds a test for well defined 400 responses on all verbs and
paths on the API spec.
The tests verify:
* Presence of 400 response definition
* The description must start with 'Bad request' (needs coding guideline)
* If DBIC queries are allowed on the route, then `invalid_query` needs
to be mentioned in the description.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 10 Jul 2024 08:39:33 +0000 (09:39 +0100)]
Bug 37018: Clarify operators
This patch clarifies the list of operators both in the validate routine
and in the swagger descrption block where we document this feature for
the end user.
JD amended patch: tidy
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 534e7bf44a3667046793c07a9f17a4bcc13a3b74) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e1f52ff212f65d174604c6d180ab40ed16330883) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37018: Handle exception in unhandled_exception() helper
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 58677f8e2e180342ce813506cb63bb81cb58804d) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37018: (follow-up) adding some allowed operators
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 5cb4c9c18f1e3d1894c84a4af2fdca03e3e0d69e) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 5 Jun 2024 13:20:22 +0000 (14:20 +0100)]
Bug 37018: Use validation in search_rs helper
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e75c94184f16fb556dab9dfbfb2f50f5f78bd91f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 5 Jun 2024 13:19:54 +0000 (14:19 +0100)]
Bug 37018: Add validation method to Koha::REST::Plugin::Query.pm
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 907510b076d0a5d9332d90041963d16e63decd81) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 8c63713497d86ac985734d18ea0acd86a4d45abf) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Wed, 5 Jun 2024 13:19:06 +0000 (14:19 +0100)]
Bug 37018: Unit tests
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit f4cab95872351c01aa53e08fb2305ae587c03df7) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch adds regression tests. With the current codebase, the
malicious query returns a 200. It should be caught and a 400 needs to be
returned.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/api/v1/query.t
=> FAIL: It returns a 200
3. Once the rest of the patches are ready, repeat 2
=> SUCCESS: It returns a 400
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: wainuiwitikapark <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 1fd94e90bcc74fe5f312ec0bf69850f96e4789ba) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 5 Jul 2024 12:47:42 +0000 (14:47 +0200)]
Bug 37247: Fix display of "closed"
The subscription was not shown as closed after we closed it.
This is because "closed" is not passed to the template.
It seems more reliable to rely on the subscription object (that is passed to both
serials/serials-collection.tt and serials/subscription-detail.tt, the
others are not showing the Reopen/Close buttons)
Also fetch the subscription object after and reopen/close it to display
accurate values.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 3cf17aa16f70e978f654345274972b65ca7b6164) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 37247: Fix subscriptions operation allowed without authentication
Move close and reopen after get_template_and_user().
Also move Koha::Subscriptions->find(), not a good idea to run DB queries
before authentication.
Test plan :
1) Apply patch
2) Authenticate to staff interface
3) Go to an existing open subscription
4) Open a new browser tab and use it to log-out
5) Go to first tab and click on 'Close'
6) You get login page
7) Authenticate
8) Check subscription is not closed
9) Check you can close and reopen subscription
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 42c2dd78ef52ec00afd6307ef179c491615c7085) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
David Cook [Fri, 21 Jun 2024 01:45:51 +0000 (01:45 +0000)]
Bug 37146: Prevent path traversal by validating input
This patch validates the plugin_name passed to plugin_launcher.pl
against the base path containing the "value_builder" directory.
Test plan:
0. Apply the patch
1. koha-plack --reload kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=29
3. Check that the tag editor for leader still works
4. Go to http://localhost:8081/cgi-bin/koha/cataloguing/additem.pl?biblionumber=29
5. Check that the pluginf or "Date acquired" still works
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
(cherry picked from commit 4e9644238ff04d06e4e6dc980fcc8ad1a85a88ea) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Chris Cormack [Wed, 8 May 2024 22:41:43 +0000 (22:41 +0000)]
Bug 36818: Escape characters in file names uploaded
To test:
1/ create a file named something like 'execute`curl blog.bigballofwax.co.nz`.zip'
Where the domain is one you can watch the logs from
2/ Upload this file as a cover image
3/ Check /var/lib/koha/sitename/tmp/koha_sitename/ and see unescaped filenames
4/ Choose process, check the logs of the webserver see the connection has been made
5/ Apply the patch
5/ Repeat 2 & 3 and see the filename is now escaped
6/ Choose process and check no errors but no no remote execution occurs
7/ Test uploading actual zip file and images still works
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 14bdaae3f257a321f8ec0d32c6b1e9bc6ed6033d) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Chris Cormack [Mon, 13 May 2024 02:26:13 +0000 (02:26 +0000)]
Bug 36520: Sanitize input in opac-sendbasket.pl
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 2f3f42ba98b698871bc473d65a14b5e89d0ae86c) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Mon, 13 May 2024 12:47:28 +0000 (14:47 +0200)]
Bug 36520: Prevent SQL injection in GetPreparedLetter
Actually in _get_tt_params
The following query will delay the response
SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
SELECT 1
FROM
SELECT SLEEP( 6 ) x
) -- - )
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+- to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 0b3c98b0ba01ea5c886ecfe8eef174b5b7c6ec25) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Nick Clemens [Wed, 24 Apr 2024 15:06:22 +0000 (15:06 +0000)]
Bug 36575: Adjust checkpw_internal to return patron
This patch refactors checkpw_internal to remove the SQL code, use patron ojbects, and return the
patron that correctly matches the userid/caerdnumber when auth is successful
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit fe78f06a50c41a7dbac24206e31bc5b1189ee185) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Martin Renvoize [Thu, 11 Apr 2024 10:18:30 +0000 (12:18 +0200)]
Bug 36575: (QA follow-up)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit fffc5600cad077e8b4d8d5211263f1935c5b07cd) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Nick Clemens [Thu, 11 Apr 2024 09:39:03 +0000 (09:39 +0000)]
Bug 36575: Return correct patron when there is a shared userid / cardnumber
This patch moves some patron fetching code in C4/Auth to use to patron returned from the validation
methods and only try to fetch the patron (to check if locked, update attempts, etc) if we didn't authenticate
To test:
1 - Set a user to have userid = BANANA password = Password1
2 - Set a user to have cardnumber = BANANA password = Password2
3 - Hit the patron authentication API:
http://localhost:8080/api/v1/auth/password/validation
with data:
{ "identifier": "BANANA", "password":"Password1" }
and:
{ "identifier": "BANANA", "password":"Password2" }
4 - Note you receive the same response for both
5 - Apply patch, restart all
6 - Repeat the API and confirm you get the correct patron for the password submitted
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Jonathan Druart [Fri, 8 Mar 2024 15:06:11 +0000 (16:06 +0100)]
Bug 36149: Unset userenv from middleware
The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?
This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).
To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl and add a line after: CGI->new:
warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl - only "Something's wrong" - you no longer see any user info
Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 3dd1cdd74ff004d1d218366a377fc91d8ae4e21d) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Owen Leonard [Tue, 9 Apr 2024 15:55:57 +0000 (15:55 +0000)]
Bug 36511: Some scripts missing a dependency following Bug 24879
These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.
To test, apply the patch and restart services.
- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
"Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
there are no 500 errors in the Network tab.
- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
XML" links. Both should trigger the correct download.
- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
bottom of the page.
- Your CSV file should download correctly.
The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!
Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 747f5132311ea51ea6babbfc92a775ac0c67f93a) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01b22fb71d30f56d3102837b5c9b4cfdacbc9e76) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 72cead50b49efaad6349cf653b970e6f5b610475) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
David Cook [Mon, 4 Mar 2024 04:19:38 +0000 (04:19 +0000)]
Bug 34755: Backport Koha::Token change from bug 34478
This change includes the Koha::Token changes which uses
Koha::Session for generating and checking CSRF tokens.
0. Apply the patch and koha-plack --restart kohadev
1. Setup Keycloak OIDC SSO according to "Testing SSO"
wiki guide
2. In a regular window go to http://localhost:8080
3. In a private window go to http://localhost:8080 and click
the SSO "Log in with..." button, but don't log into Keycloak
4. In the regular window, login locally, and navigate to 5-6 pages
5. In the private window, log into Keycloak
6. Note that you are redirected back to Koha and logged in
successfully (no wrong_csrf_token error).
Signed-off-by: Olivier Hubert <olivier.hubert@inlibro.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 46c0419a11d56b078f1f8528e51bf1a78bd284e6) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 19f79fa6064664a69597b0b330dca9c538b816bf) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
David Cook [Thu, 15 Feb 2024 02:49:18 +0000 (02:49 +0000)]
Bug 36098: Add Koha::Session module to ease session handling
This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.
Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0e6537d199fe49a9e91e1c75f9462ddf1c878fed) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f927343a88ade7cf3fe860b60c41057e6ff39692) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit e19e066b4aa5635e0b53d3351d6c92c68cf20b97) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Bug 34943: (QA follow-up) Use `before_biblio_action` and an `action` param
This patch harmonizes the hook name and parameters with the rest of the
codebase.
To test:
1. Apply this patch
2. Run:
$ ktd --shell
k$ qa
=> SUCCESS: All looks green, and tests still pass (i.e. they were
correctly adjusted to the new schema).
3. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 353f510c146cfcffc0bb488a8411755f111e5711) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch implements a hook allowing record modification right before
they are written on the DB. The idea is that a plugin could be used to
add machine-generated fields/subfields.
To test:
1. Apply the unit tests patch
2. Run:
$ ktd --shell
k$ prove t/db_dependent/Koha/Plugins/Biblio_and_Items_plugin_hooks.t
=> FAIL: Tests fail! The hook is not implemented so the desired results
don't appear (added fields/subfields).
3. Apply this patch
4. Repeat 2
=> SUCCESS: It works!
5. Run:
k$ qa -c 2
=> SUCCESS: All green!
6. Sign off :-D
Sponsored-by: Theke Solutions Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e78b7bdbe5c10e3d4a568a4560b28e46ab71a02f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Thu, 14 Mar 2024 15:17:55 +0000 (16:17 +0100)]
Bug 24879: Adjust tests
Installer scripts cannot be run from the UI:
debian/templates/apache-shared-intranet.conf:RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
Jonathan Druart [Fri, 15 Mar 2024 09:12:41 +0000 (10:12 +0100)]
Bug 31988: Remove reports/itemtypes.plugin
This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.
Test plan:
Same behaviour expected before and after this patch
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 499fe0bea7d995358bd45da2bea7058d803f2b4e) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e2c5e7b88bb9bbc2888129a8f782841f6f5fcff9) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Julian Maurice [Thu, 1 Feb 2024 08:15:23 +0000 (09:15 +0100)]
Bug 35960: Use .val() instead of string concat to prevent potential XSS
Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
fragment. It should be URI-encoded.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Kyle M Hall [Tue, 30 Jan 2024 15:58:02 +0000 (10:58 -0500)]
Bug 35942: OPAC user can enroll several times to the same club [23.05.x]
Test Plan:
1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Kyle M Hall [Tue, 30 Jan 2024 15:58:02 +0000 (10:58 -0500)]
Bug 35942: OPAC user can enroll several times to the same club [23.05.x]
Test Plan:
1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Nick Clemens [Fri, 26 Jan 2024 14:10:01 +0000 (14:10 +0000)]
Bug 35518: Check authentication and set userenv before fetching userenv variables
Currently we get the userenv before we have set it correctly for the session
To test:
1 - Sign in as a user with fast cataloging permission
2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
3 - Check the link, it should have your current signed in barcode
4 - Sign in to a different browser with a different user and at a different branch
5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
6 - It may have your branch, but it may also have the other user's branch from the other window
7 - Keep entering gibberish to get a link until one user has the correct branch
8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch
Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08af99b9e3cb4eb50398df896085f527) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Andreas Jonsson [Thu, 8 Feb 2024 10:57:03 +0000 (11:57 +0100)]
Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw
Adapt code to the change of return value type of checkpw
introduced in bug 34893
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3280e5a99de92a3e8d33ccef71d3013bac4add68) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Tue, 30 Jan 2024 13:53:03 +0000 (14:53 +0100)]
Bug 35941: Limit club list to those from the logged in user
clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users
Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops
Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e51ef7ef76a4ee523b302d724d80118185030e60) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Bug 29510: Make objects.find call search_limited if present
This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 1f1f0837cd2058ff8e953e6ae719c7513ad35927) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 36a1b9e4dff208b6b55ea50008984c7ca0fb298f) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 26 Jan 2024 07:58:17 +0000 (08:58 +0100)]
Bug 35918: Fix auto library connect (AutoLocation)
This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.
To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
branchip: 172.18.0.4
Connect and select CPL. Randomly FFL will be picked instead.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4efe74fe12075298680965db3605f717f1da10d0) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Jonathan Druart [Fri, 26 Jan 2024 07:57:03 +0000 (08:57 +0100)]
Bug 35918: Add test
Signed-off-by: Magnus Enger <magnus@libriotech.no> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e00cfb3c7b3954e545ad4b363bff48a8f4345d0a) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 7073d114577105537d448c49430eb546c0b435a2) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This patch introduces some tests on the current (and new) behavior for
the `checkpw` function.
I needed it to better understand if an edge case was actually possible
(it wasn't).
Found a really minor annoyance for the internal check with expired
password not returning the $patron object for consistency with the other
use cases.
I think this method deserves (at least) changing the return value to a
sane data structure. But that's not target for backporting to stable
releases. So a separate bug.
Kyle M Hall [Fri, 22 Sep 2023 18:20:59 +0000 (14:20 -0400)]
Bug 34893: ILS-DI can return the wrong patron for AuthenticatePatron
Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid.
Test Plan:
1) Give three patrons a userid and a password
2) From the database cli, set all patrons's userid to null
Run this query: update borrowers set userid = null;
3) Call AuthenticatePatron with username being the 1st patron cardnumber,
and password being the password you set for that patron
http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha
4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct.
5) Do the same with the 2nd patron. Same issue at 1st and correct number after.
6) Apply this patch
7) Restart all the things!
8) Do the same with the 3rd patron.
9) Note you get the correct borrowernumber! :D
10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 9ba199c2acc33873154c167e73e86a5e786084cb) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f6c2bdf2163239eddef379ff34e769dfdaeac9ca) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
projects / koha.git / log