From 096fd4acfa360e450e9d6a1a37a96f7eb8d848c8 Mon Sep 17 00:00:00 2001 From: Petro Vashchuk Date: Tue, 21 Jun 2022 16:02:51 +0300 Subject: [PATCH] Bug 31001: Fix "CGI::param called in list context" warning in basket.pl CGI param basketno should be explicitly scalar, or else error log gets flooded with this warning: AH01215: CGI::param called in list context from /home/vagrant/kohaclone/acqui/basket.pl line 175, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 412. This patch fixes it by working with it in a scalar context. The functionality still remains the same but warning doesn't flood error log. To reproduce: 1. Head over to the acquisitions page. 2. Pick existing vendor with email contact info or create a new one. 3. Create a new basket or use existing one, and if it doesn't have any orders, add a new order to it. 4. Use the "E-mail order" button to send order. 5. Check the error log and find the upper mentioned warning. (Note: if you're going to test this more than once, you might need to restart your Plack in order for this warning to get added to your log file again, reasons of that is that the authors of CGI.pm decided to "warn only once") 6. Apply the patch. 7. Use the "E-mail order" button again, ensure that the same warning doesn't get added to the log file again. Signed-off-by: David Nind Signed-off-by: Tomas Cohen Arazi --- acqui/basket.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acqui/basket.pl b/acqui/basket.pl index bdc3a4d455..c028dc0219 100755 --- a/acqui/basket.pl +++ b/acqui/basket.pl @@ -172,7 +172,7 @@ if ( $op eq 'delete_confirm' ) { exit; } elsif ($op eq 'email') { my $err = eval { - SendAlerts( 'orderacquisition', $query->param('basketno'), 'ACQORDER' ); + SendAlerts( 'orderacquisition', scalar $query->param('basketno'), 'ACQORDER' ); }; if ( $@ ) { push @messages, { type => 'error', code => $@ }; -- 2.39.5