From 35b6a5ea116f8cafc92c31b0879dccb1cbe23a6b Mon Sep 17 00:00:00 2001 From: Jared Camins-Esakov Date: Mon, 15 Oct 2012 11:58:30 -0400 Subject: [PATCH] Bug 3652: close XSS vulnerabilities in opac-export The opac-export.pl script had a number of XSS vulnerabilities relating to its error handling. To test: 1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=

evil

(substituting a valid biblionumber for the '2') 2) Notice that "evil" is rendered as an h2 heading. 3) Apply patch. 4) Notice that you now see the h2 tags, and they are not rendered by the browser. Signed-off-by: Chris Cormack Signed-off-by: Paul Poulain --- opac/opac-export.pl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/opac/opac-export.pl b/opac/opac-export.pl index fb8dee7a1e..002c88e4ec 100755 --- a/opac/opac-export.pl +++ b/opac/opac-export.pl @@ -32,6 +32,7 @@ my $query = new CGI; my $op=$query->param("op")||''; #op=export is currently the only use my $format=$query->param("format")||'utf8'; my $biblionumber = $query->param("bib")||0; +$biblionumber = int($biblionumber); my ($marc, $error)= ('',''); $marc = GetMarcBiblio($biblionumber, 1) if $biblionumber; @@ -41,18 +42,23 @@ if(!$marc) { } elsif ($format =~ /endnote/) { $marc = marc2endnote($marc); + $format = 'endnote'; } elsif ($format =~ /marcxml/) { $marc = marc2marcxml($marc); + $format = 'marcxml'; } elsif ($format=~ /mods/) { $marc = marc2modsxml($marc); + $format = 'mods'; } elsif ($format =~ /ris/) { $marc = marc2ris($marc); + $format = 'ris'; } elsif ($format =~ /bibtex/) { $marc = marc2bibtex(C4::Biblio::GetMarcBiblio($biblionumber),$biblionumber); + $format = 'bibtex'; } elsif ($format =~ /dc/) { ($error,$marc) = marc2dcxml($marc,1); @@ -61,14 +67,17 @@ elsif ($format =~ /dc/) { elsif ($format =~ /marc8/) { ($error,$marc) = changeEncoding($marc,"MARC","MARC21","MARC-8"); $marc = $marc->as_usmarc() unless $error; + $format = 'marc8'; } elsif ($format =~ /utf8/) { C4::Charset::SetUTF8Flag($marc,1); $marc = $marc->as_usmarc(); + $format = 'utf8'; } elsif ($format =~ /marcstd/) { C4::Charset::SetUTF8Flag($marc,1); ($error,$marc) = marc2marc($marc, 'marcstd', C4::Context->preference('marcflavour')); + $format = 'marcstd'; } else { $error= "Format $format is not supported."; @@ -78,7 +87,7 @@ if ($error){ print $query->header(); print $query->start_html(); print "

An error occurred

"; - print $error; + print $query->escapeHTML("$error"); print $query->end_html(); } else { -- 2.39.5