]> git.koha-community.org Git - koha.git/log
koha.git
7 years agoBug 19108 - Stored XSS in oai_sets.pl
Amit Gupta [Tue, 15 Aug 2017 08:03:57 +0000 (13:33 +0530)]
Bug 19108 - Stored XSS in oai_sets.pl

To Test
1. Hit the page /cgi-bin/koha/admin/oai_sets.pl
2. Click on New set
3. Add a text in the field setSpec, setName that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 10d3a8c212f8a45e40cd2644f94d555566a10018)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 20b4c81c1a1e1c93ecdc5ebeeddb870a802a7d4a)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19103 - Stored XSS in matching-rules.pl
Amit Gupta [Tue, 15 Aug 2017 04:45:54 +0000 (10:15 +0530)]
Bug 19103 - Stored XSS in matching-rules.pl

To Test
1. Hit the page /cgi-bin/koha/admin/matching-rules.pl
2. Click on new record matching rule
3. Add a text in the field Description that contain js.
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 9222cd77d282affffba43a40a9ff2f768647501e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit fb90eee74c483eb188b8c682a1259ba964f9c2b8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19103 - Stored XSS in patron-attr-types.pl
Amit Gupta [Tue, 15 Aug 2017 04:37:45 +0000 (10:07 +0530)]
Bug 19103 - Stored XSS in patron-attr-types.pl

To Test
1. Hit the page /cgi-bin/koha/admin/patron-attr-types.pl
2. Click on new patron attribute type
2. Add a text in the field Description that contain js.
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit cb0c3da4b6cec991194ce91e6412cf9d50562044)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6fc53fb6df1e638f5cea70254612f7e60ff4de2f)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19103: (follow-up) Stored XSS in itemtypes.pl
Jonathan Druart [Tue, 12 Sep 2017 13:58:24 +0000 (10:58 -0300)]
Bug 19103: (follow-up) Stored XSS in itemtypes.pl

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit c221bc40a330a25d59097e94e962a4afcea011af)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e3e035c3ef1f89c416922f6a81fdc2b4596f900e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19103 - Stored XSS in itemtypes.pl
Amit Gupta [Tue, 15 Aug 2017 03:22:40 +0000 (08:52 +0530)]
Bug 19103 - Stored XSS in itemtypes.pl

To Test
1. Hit the page /cgi-bin/koha/admin/itemtypes.pl
2. Add a text in the field Description, Checkin message that contains js
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 18b5d4f1ababf560ff02a258de389f8c34cff9e4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4653a5209acf51cdc5977ff082d9b658f9959350)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19128: XSS - admin/authorised_values.tt
Jonathan Druart [Tue, 12 Sep 2017 13:35:10 +0000 (10:35 -0300)]
Bug 19128: XSS - admin/authorised_values.tt

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ad230cdcb5ad69541a89a4edaedcadde9d25b88a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c7a6dbca09c3aababf71349a9403b8e1e9e3e2bc)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt
Katrin Fischer [Wed, 16 Aug 2017 12:34:17 +0000 (14:34 +0200)]
Bug 19128 - XSS - patron-attr-types.tt, authorised_values.tt and categories.tt

Preparation:
- Add a branch with script in the branch name
- Add a patron category with script in the category name
- Add a new authorised value cateogory with script
- Add a new authroised value for this category with script
  in all possible fields

- Test editing patron categories
- Test editing patron attribute types
- Test viewing and editing authorised values

Verify that with this script there is no more script executed
and everything works fine.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 6b7ad77fffd7a6c4b69bce5bf666c6ff4be76c5b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8b85e835541e650cfa4c867bcd65fc5d03334613)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19125 - XSS - members.pl
Katrin Fischer [Wed, 16 Aug 2017 10:05:50 +0000 (12:05 +0200)]
Bug 19125 - XSS - members.pl

In preparation to test this patch:
- Add a patron list named <script>alert("patron list")</script>
- Add a library named <script>alert("library")</script>
- Add a patron category named <script>alert("patron category")</script>

To test:
- Access patron search page and do a search
- Verify that the alerts added above are executed
- Apply patch
- Verify that no alerts are displayed

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 849eaf73fc419b9a635a1ba4b69ef46a7544e55a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2b0bd9add5deae0ab5bee79ee75a6cb769d0dea8)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19086 - Follow-up - subscription-detail.pl
Katrin Fischer [Wed, 16 Aug 2017 11:07:18 +0000 (13:07 +0200)]
Bug 19086 - Follow-up - subscription-detail.pl

Add script to the callnumber field on adding a subscription.

Verify script is executed without this patch, but not with it.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3ebcd2475dd35db47c33bcc59d5e75968667b518)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit b03752fa781695f9fb506be7ea5afd9fb3db4a08)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19086 - Follow-up - XSS in supplier.tt
Katrin Fischer [Wed, 16 Aug 2017 10:59:13 +0000 (12:59 +0200)]
Bug 19086 - Follow-up - XSS in supplier.tt

In preparation:
Make sure you enter <script>alert("sth")</script>
in all fields of a new vendor that are not validated
and save.

1) Access vendor summary page.
2) Verify scripts are executed
3) Apply patch
4) Verify scripts are on longer executed

This works in combination with the other patches for XSS
on this bug.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 14a1aba57cc091a70c527a0d6bd495d21bd87345)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 13147e7c05daa73a4f562541c3a7f8c98747bc83)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19086 Stored XSS in subscription-add.pl
Amit Gupta [Mon, 14 Aug 2017 21:14:11 +0000 (02:44 +0530)]
Bug 19086 Stored XSS in subscription-add.pl

To Test
1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
2. Add a text in the field Public note and Nonpublic note
   that contains js (Internalnotes, notes)
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ebf781afc133508eddcb8dc8fb6d7429a72db99b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c4a1eafb5bac265c936567807e94ab22d04a1094)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19086 Stored XSS in supplier.pl
Amit Gupta [Mon, 14 Aug 2017 21:03:59 +0000 (02:33 +0530)]
Bug 19086 Stored XSS in supplier.pl

1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter
2. Add a text in the field company_postal, physical, company_fax,
   accountnumber, contactposition, contact_fax, contact_notes, notes that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 9d0bbf5fa7455e0eb64288652802b0836cf22690)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 46f91605a4044ebbf74f7014305078a1304afcd1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19086 Stored XSS in circulation.pl
Chris Cormack [Fri, 11 Aug 2017 19:54:34 +0000 (19:54 +0000)]
Bug 19086 Stored XSS in circulation.pl

1/ To test add a message to a borrower that contains js
2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number]
  where number is the borrowernumber of the borrower you set the message
  for
3/ Notice js is execute
4/ Apply patch, reload, js is escaped

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 80c93d3499b11f3574fbafe756f94c534b746d5a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0a53a9e7f35855405024d03bde01d49f560f99ee)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19086 XSS in members/member.pl
Chris Cormack [Fri, 11 Aug 2017 19:36:43 +0000 (19:36 +0000)]
Bug 19086 XSS in members/member.pl

To test
1/ hit /cgi-bin/koha/members/member.pl?&searchmember=<script>alert('XSS Payload')</script>
2/ Notice js is executed
3/ Apply patch, reload
4/ js is now escaped

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 5ae18484b5a47e8a00ce8f1a0fd8b3db471947eb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 44814081a72a995a91f7057d9158b18167c65dca)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18654 - Translatability: Get rid of tt directives starting with [%% in translatio...
Fridolin Somers [Tue, 12 Sep 2017 12:57:25 +0000 (14:57 +0200)]
Bug 18654 - Translatability: Get rid of tt directives starting with [%% in translation for itemsearch.tt

Followup correcting a typo of previous patch :
  name="holdingbranch" options = branche
it is branche[s]

Test plan :
- Look at 'Current location' in item search
=> Without patch you see only 'All libraries'
=> With patch you see 'All libraries' and each existing library, like in 'Home library'

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 889fabe9f28f3b6ef35fc36e73b12652f258510c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ea316ad4ae5b4aea4c255d08d36bfcb0b705c23b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18654 - Translatability: Get rid of tt directives starting with [%% in translatio...
Marc Véron [Thu, 29 Jun 2017 13:22:54 +0000 (15:22 +0200)]
Bug 18654 - Translatability: Get rid of tt directives starting with [%% in translation for itemsearch.tt

This patch removes entries like the following in translations of itemsearch.tt:
"[%% INCLUDE form_field_select name=\"homebranch\" options = branches "
"empty_option = \"All libraries\" %%] [%% INCLUDE form_field_select name="
"\"holdingbranch\" options = branches empty_option = \"All libraries\" %%] %s "
"[%% INCLUDE form_field_select name=\"location\" options = locations "
"empty_option = \"All locations\" %%] %s "

New patch on top of Bug 18633 that resolves parts of initial comment.

To test:
- Verify that in itemsearch.tt no tt directives are splitted by new lines
  (search for [% INCLUDE )
- Verify that itemsearch.tt works as before

Followed test plan and verified that tt directives are not split by new
lines, the changes to the fieldset tags in comment 3 have been removed
and itemtype.tt still works correctly as before

Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 25fa02272d16c98d49a6020e867f60bc0510d960)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit dcafcbc036f9229d2d2854012f80fe051012a349)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19023 - inventory tool performance
Fridolin Somers [Wed, 2 Aug 2017 09:21:58 +0000 (11:21 +0200)]
Bug 19023 - inventory tool performance

Inventory tool performance seems to be worst since 16.11.
I think it is because of authorized values computing changed by Bug 17249.

For each subfield of each item, we try to get the authorized value description with Koha::AuthorisedValues->search_by_marc_field.
But this method does not use cache like Koha::AuthorisedValues->get_description_by_koha_field.

I propose to use Koha::AuthorisedValues->get_description_by_koha_field and also to look for authorized value description only for item fields used in TT : location, notforloan, itemlost, damaged, withdrawn.

I have experimented inventory time on 100 items from 5s to 1s.

Test plan :
- Without patch
- Perform inventory with barcode file
- Check results and mesure execution time
- Apply patch
- Reperform inventory with same barcode file
- Check results is the same
- Compare execution time
- Run prove t/db_dependent/Items/GetItemsForInventory.t

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 95f1844e6c46ff51de9f95f99fcdf3369c756fd4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4c76583e6d3079bad51048f62f43c3c433f1e9bd)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18927: Use fully qualified subroutine names in C4::Items
Jonathan Druart [Mon, 4 Sep 2017 15:06:56 +0000 (12:06 -0300)]
Bug 18927: Use fully qualified subroutine names in C4::Items

rebuild_zebra.pl fails in some conditions (perl version?)
I do not recreate but it has been reported that reindex fails with:
  error retrieving biblio 94540 at /usr/share/koha/bin/migration_tools/rebuild_zebra.pl line 683, <DATA> line 751.

To fix it we can use fully qualified subroutine names for:
  GetMarcFromKohaField
  GetMarcBiblio
  GetBiblionumberFromItemnumber
  TransformKohaToMarc
  GetFrameworkCode

Test plan:
Confirm the rebuild_zebra script still works correctly after this patch

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 2671eb2f93340e8fb3c794cff918d86c526cc47f)
(cherry picked from commit 1a50b447d3d58b40d8f84e7c264f01abcb42a826)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19073: (bug 15758 follow-up) Dereference correct value from Koha::Object.
Alex Sassmannshausen [Thu, 10 Aug 2017 11:00:19 +0000 (13:00 +0200)]
Bug 19073: (bug 15758 follow-up) Dereference correct value from Koha::Object.

* tools/modborrowers.pl: Dereference 'branchcode' rather than
  'value'.

Test Plan:
- Carry out "Batch patron modification" with any number of patrons.
  + Change the library.
  + Hit Save.
- The library will not have been updated.
- Apply patch.
- Run same modification.
- The library will have been updated

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 8a328a20bf3a74268346104281688b2a81be80e6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 111ab4e63257410bf7ca34e80e46675603072c36)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18900: wrong number format in receiving order
Fridolin Somers [Thu, 6 Jul 2017 06:48:18 +0000 (08:48 +0200)]
Bug 18900: wrong number format in receiving order

Bug 18471 added number formating in order receive.

I found a bug generated by this.
Koha::Number::Price defines methods to (un)format price depending on CurrencyFormat syspref.
The bug is that for CurrencyFormat US, some params are not defined in this module so there are retrieved from system locale. If system locale is not en_US, the params will be wrong. For example fr_FR will define ',' as decimal and so saved unit price is divided by 1000.

To recreate:
- On a server with locale 'fr_FR'
- With Plack mode
- Set CurrencyFormat on 'US'
- Open a basket
- Place an order for an item
- Close basket
- Receive order with changing 'Actual Cost' to '1,234'
- Note the 'Actual Cost' is now '1.23'
- Run unit test t/Number/Price.t without and with patch

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit e35903574ce666bca32eb4676f311b99bb268ec2)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 92b08a23e3b2c001d208b82b6ffee2af756ca51f)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18900: (QA followup) Make tests conditional to locale existence
Tomas Cohen Arazi [Wed, 9 Aug 2017 15:01:17 +0000 (12:01 -0300)]
Bug 18900: (QA followup) Make tests conditional to locale existence

It is important to highlight that tests have been skipped instead of having them pass
on the absence of the required fr_FR.UTF-8 locale installed on the system.

This patch does that check and effectively skips them.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 61f2ec769073709be3b688654ec355b3f4fbe522)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1865db52bbf9413574c22ee2c9180137ac357918)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18900: add UT to Number/Price.t
Fridolin Somers [Thu, 6 Jul 2017 06:44:51 +0000 (08:44 +0200)]
Bug 18900: add UT to Number/Price.t

This patch adds unit tests to t/Number/Price.t in order to valid the problem.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 91dee226cdd089353dc71e559aa9e0b34fddf72e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit aca614cd95b32d2953927e8e3e908bc1248b541c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18906: Display all funds the logged in user can use
Jonathan Druart [Thu, 6 Jul 2017 21:10:10 +0000 (18:10 -0300)]
Bug 18906: Display all funds the logged in user can use

There are complex conditions to know if a librarian can use a fund, we
cannot do that with a SQL query, we need to use C4::Budgets::CanUserUseBudget

When this patch is applied then all funds are visible to both
superlibrarian patrons and patrons with all acq permissions

Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 19a7b498e1f4355ab1e4ee0adb5db299613f3f5c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d179da572b1d6bd7066d96f494aa805b86b92ae1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18898 - Some permissions for Reports can be bypassed
David Cook [Thu, 27 Jul 2017 01:58:28 +0000 (11:58 +1000)]
Bug 18898 - Some permissions for Reports can be bypassed

If you manually visit the following links when you only have
permission to run reports, you'll still be able to access the ability
to create and edit reports:

/cgi-bin/koha/reports/guided_reports.pl?phase=Create%20report%20from%20SQL
/cgi-bin/koha/reports/guided_reports.pl?phase=Edit%20SQL

This patch ties these 2 unaccounted for phases to the create_reports
permission.

With patch, issue no longer can be reproduced.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 2fdfbaf0ddbf214c0efb9a3a3c2595a54517f795)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4b71c9239708cd4d60190ed907fec03d1f8b08bc)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 17827 - Untranslatable "by" in MARC21slim2intranetResults.xsl
Serhij Dubyk {Сергій Дубик} [Tue, 22 Aug 2017 14:19:32 +0000 (17:19 +0300)]
Bug 17827 - Untranslatable "by" in MARC21slim2intranetResults.xsl

Signed-off-by: Serhij Dubyk {Сергій Дубик} <serhijdubyk@gmail.com>
The "by" after the title was not translatable in the result
lists of the intranet. This patch fixes it by removing
a comment, that caused a problem with the translation
scripts.

To test:
Test:

Before this patch in file en-GB-marc-MARC21.po present next paragraph:

msgid "by "
msgstr " by "

According string "by " in the file MARC21slim2intranetResults.xsl can not be translated (in other languages).

After applying this patch performed next command:
cd /usr/share/koha/misc/translator
sudo env KOHA_CONF=/etc/koha/sites/mykohainstance/koha-conf.xml PERL5LIB=/usr/share/koha/lib perl -I /usr/share/koha/lib "./translate" update

Now in the file en-GB-marc-MARC21.po present the following (modified) paragraph:

msgid "by "
msgstr " by "

https://bugs.koha-community.org/show_bug.cgi?id=17827
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d5ea914f4dc41f78dbb3a59f894f6ecbb9a1afa4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit afb2cb0c74b6a137652ec1a2e96fc480a5a50f96)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18778 - Translatability: Get rid of tt directive in translation for item-status.inc
Marc Véron [Mon, 12 Jun 2017 05:48:57 +0000 (07:48 +0200)]
Bug 18778 - Translatability: Get rid of tt directive in translation for item-status.inc

The file opac-tmpl/bootstrap/en/includes/item-status.inc exposes a template directive where translators should not be confronted with.

"%s %s [%%#- This include takes two parameters: an item structure and an "
"optional loan (issue) structure. The issue structure is used by course "
"reserves pages, which do not use an API to fetch items that populates item."
"datedue. -%%] %s %s %s %s "

This patch fixes new lines inside a tt directive (comment).
It is merely a string patch.

To test:
Verify that the code changes make sense.
(Bonus test: create a new language 'aa-AA', verify that line above does not
show up in aa-AA-opac-bootstrap.po)

NOTE: Followed test plan similar to bug 18776 comment 3.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit c8551645d5bdd3e6fb5b7e03280521a2fbaef636)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit b9ff28f719cb17d37e5eaecc4fb09b9032cc38e5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18660: Translatability: Get rid of template directives [%% in translation for...
Marc Véron [Tue, 23 May 2017 15:09:49 +0000 (17:09 +0200)]
Bug 18660: Translatability: Get rid of template directives [%% in translation for patroncards-errors.inc

Translation for koha-tmpl/intranet-tmpl/prog/en/includes/patroncards-errors.inc
contains a lot of (partial) template directives like:
%%]%s %sLayout: [%%

This patch fixes it

To test:
- Verify that code changes make sense
- Apply patch
- Create a translation (cd misc/translator , then: perl translate create aa-AA
- Verify that in po/aa-AA-staff-prog.po contains no fragments like %%] or [%%
  for patroncards-errors.inc
- Try to get an error: Try a link like
  http://[YOUR SERVER]/cgi-bin/koha/patroncards/create-pdf.pl?batch_id=1&template_id=999&layout_id=999&start_card=1
  ...where template_id and layout_id do not exist

(Amended for comment #2 2017-06-05 mv)
(Amended for comment #6 2017-08-02 mv)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 7e39bbc61aedd6383f4d6a1b4728711c6922e877)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 036b317c0c0e96b0eb344d767cca7f87da4fb875)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18652: Get rid of tt directive in translation for uncertainprice.tt
Marc Véron [Mon, 22 May 2017 19:09:06 +0000 (21:09 +0200)]
Bug 18652: Get rid of tt directive in translation for uncertainprice.tt

Translation tool shows toe following for ncertainprice.tt
0; url=[% scriptname %]?booksellerid=[% booksellerid %]

This patch fixes it.

To test:
- Apply patch
- Verify that code change makes sense
- Verify that Home > Acquisitions > [vendor] > Uncertain prices for [vendor]
  works as before

- Additional test (for a langunage 'aa-AA')
  perl translate create aa-AA
  verify that line 41 no longer appears in aa-AA-staff-prog.po

Amended to switch from BLOCK to a template variable, see comment #5

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 2ee82801c7a8686523f9c5e95b0f43d44e52e4ab)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4d427740196bb0a9bcfe80787af8cdf769c06b76)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18649: Translatability: Get rid of tt directive in translation for admin/categori...
Marc Véron [Fri, 4 Aug 2017 08:52:13 +0000 (10:52 +0200)]
Bug 18649: Translatability: Get rid of tt directive in translation for admin/categories.tt and onboardingstep2.tt

New patch without trailing IF construction in tt directives as
requested in comment #28

To test: Verify that translation tool no longer shows tt directives as
described in comment #1

New patch, needs SO.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 79338bde3e01708fe331a54745f45c620c121805)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0f9175c0b26e9e8d65bf39dab80d99e5d7455346)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18921: Resolve a few warnings in C4/XSLT.pm
Marcel de Rooy [Mon, 10 Jul 2017 12:15:09 +0000 (14:15 +0200)]
Bug 18921: Resolve a few warnings in C4/XSLT.pm

Resolves warnings like:

Use of uninitialized value in hash element at C4/XSLT.pm line 262.
Use of uninitialized value in numeric eq (==) at C4/XSLT.pm line 267.
Use of uninitialized value $status in concatenation (.) or string at C4/XSLT.pm line 300.

Note: Line numbers are not exactly the same anymore.

Test plan:
[1] Enable XSLT view in OPAC
[2] Without this patch, you will probably have some of these warnings when
    doing some opac searches.
[3] Apply this patch. Check the logs again.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 5f989a81dff29db78620057d70ed864b32486bc0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1c8287632ea36e6d2a8ade922fe129f5f792d6d3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18996: [16.11.x] use Koha::OldIssues instead of Koha::Old::Checkouts
Jonathan Druart [Mon, 11 Sep 2017 19:08:41 +0000 (16:08 -0300)]
Bug 18996: [16.11.x] use Koha::OldIssues instead of Koha::Old::Checkouts

7 years agoBug 18996: [16.11.x] [QA Follow-up] Remove global variables from Message.t
Marcel de Rooy [Wed, 2 Aug 2017 11:01:47 +0000 (13:01 +0200)]
Bug 18996: [16.11.x] [QA Follow-up] Remove global variables from Message.t

As per request of Colin in comment18, this patch makes the use of global
variables in Message.t no longer needed.
The three subtests are now completely independent and could well be moved
to separate test scripts.

Note: Strictly speaking, the use of global (package) variables could
potentially introduce new bugs (e.g. if the value is modified outside the
script). This seems not to be the case here, but we are safe now.

Test plan:
Run the test again.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
7 years agoBug 18996: [16.11.x] Add checkin subtest in SIP/Message.t
Marcel de Rooy [Sat, 29 Jul 2017 11:38:31 +0000 (13:38 +0200)]
Bug 18996: [16.11.x] Add checkin subtest in SIP/Message.t

Variable $branch was not used.
Promoted some global vars to our.
Shared the branchcode between all three subtests now.
The third subtest contains all six cases mentioned in the first patch.

Test plan:
Run t/db_dependent/SIP/Message.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
7 years agoBug 18996: [16.11.x] Resolve an uninitialized warning from ILS/Item.pm
Marcel de Rooy [Tue, 1 Aug 2017 12:10:56 +0000 (14:10 +0200)]
Bug 18996: [16.11.x] Resolve an uninitialized warning from ILS/Item.pm

From the syslog call on line 107/108. The field $item->{title} has not
been initialized. When catching the warns in a test script with Test::Warn,
I got:
    Use of uninitialized value $args[1] in sprintf at /usr/lib/x86_64-linux-gnu/perl/5.20/Sys/Syslog.pm line 423.

This simply resolves the warning. We might have a closer look to this title
field on another report though.

Test plan:
Run Message.t from the next patch without this fix. It will fail since the
additional warning makes warnings_like return false.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
7 years agoBug 18996: [16.11.x] Handle data corruption from old_issues at SIP checkin
Marcel de Rooy [Fri, 28 Jul 2017 08:29:51 +0000 (10:29 +0200)]
Bug 18996: [16.11.x] Handle data corruption from old_issues at SIP checkin

As per bug 18966 AddReturn returns false with a DataCorrupted message
when the issue_id at hand already occurs in the old_issues table.
This should be handled when returning an item via SIP too. SIP should
not pretend that the checkin was successful, since this item needs
special care.

The following six different situations are handled:

[1] An attempt to checkin an invalid barcode is handled as before. The
ok flag is false; the screen message shows 'Invalid Item'.
[2] We receive a DataCorrupted message: the alert type is set to the
unused 98 code to indicate this new error condition. The ok flag
is false; the screen message shows 'Checkin failed: data problem'.
[3] The item checked in was not checked out AND the option checked_in_ok
is active. The ok flag is set to true; no screen message.
[4] The item checked in was not checked out AND the option checked_in_ok
is not active. The ok flag is not changed (normally false); the screen
message shows 'Item not checked out'.
[5] (The regular checkin) The item was checked out and AddReturn returned
true. The ok flag is true; no screen message.
[6] ("Otherwise") The item was checked out, but AddReturn returned false.
The ok flag is false; the screen message shows 'Checkin failed'.
Note: Currently this case only refers to the Wrongbranch and withdrawn
messages from AddReturn (where doreturn==0).

Note: Situation 1 and 5 are unchanged. Behavior is slightly changed for
situation 3 and 4; the option is only used when the item was not checked
out. Situation 2 and situation 6 are changed. After bug 18966 SIP
returned OK in case of data corruption (while checkin failed). In the
remaining cases under [6] SIP also returned OK while checkin failed.

Test plan:
[1] Test all six cases listed above. In order to simulate data corruption
insert the issue_id at hand in old_issues before you check in.
In cases 3 and 4 you need to toggle the option in your SIPconfig.xml and
restart the SIP server.
Case 6 can be tested by checking out at branch A, adjusting the value
of pref AllowReturnToBranch and checking in at branch B.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
7 years agoBug 18046: CAS logout infinite redirect
Chris Cormack [Tue, 1 Aug 2017 22:15:10 +0000 (10:15 +1200)]
Bug 18046: CAS logout infinite redirect

To test (You need a CAS server and CAS configured in Koha)

1/ Login using CAS in Koha
2/ Logout in Koha
3/ Notice you get redirected again and again
4/ Apply patch
5/ Login with CAS, then logout
6/ Notice logout works, but no longer infinitely redirected

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Patch has been in production use for several months
on several instances. Fixes a critical bug.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Looks like a typical workaround, but evidently works.
Not tested with CAS.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 13ca4962068b184f803b6588e53e39209a77f2b6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c87b963818076a58661922116893ff052b2d76a9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18741: Fix loading of SQL files in web installer
Julian Maurice [Wed, 7 Jun 2017 09:29:46 +0000 (11:29 +0200)]
Bug 18741: Fix loading of SQL files in web installer

Test plan:
1. Start a normal install using the web installer
2. When asked to select data to load, verify that
   'message_transport_types' is checked, and check some optional data
   files
3. Continue the install to the end
4. Verify that message_transport_types is not empty, and that the
   optional data you checked is there

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 years agoBug 18551 - Hide with CSS dynamic elements in member search
Fridolin Somers [Fri, 5 May 2017 13:00:05 +0000 (15:00 +0200)]
Bug 18551 - Hide with CSS dynamic elements in member search

In member search page, the result table is in Ajax so fully managed by Javascript. There is also a yellow dialog message prepared in HTML.

Thoses elements are hidden by JS code : ie $("#patron_list_dialog").hide().

The problem is that the static page is first loaded an displayed then the JS code runs an hides the elements.
On a low performance computer, this action is visible and looks like there is a blinking yellow message.

I propose to hide with CSS so that thoses elements are not displayed in static page and are there shown in dynamic JS code.

Test plan :
Check display is unchanged :
- Go to home page /cgi-bin/koha/members/members-home.pl
- Perform patron search from header search box
- Perform patron search by clicking on a letter
- Perform patron search from filters (left of results table)
- Select a patron and add it to a list => you see the yellow message

Yellow message does no longer appear with this patch.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Philippe <philippe.audet-fortin@inlibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5cc536c68b221823f4335b5b5db1108521f88a71)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19163: Critical typo in stage-marc-import process
Marcel de Rooy [Tue, 22 Aug 2017 14:41:46 +0000 (16:41 +0200)]
Bug 19163: Critical typo in stage-marc-import process

Template says ISO2709 but script wants MARC or MARCXML..
Slipped in with bug 19049.
Trivial but critical fix.

Test plan:
Import a MARC file.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I picked this fix because I think MARC is always ambiguous. ISO2709
clearly denotes the serialization format used.

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19049: [QA Follow-up] Mock config, default format
Marcel de Rooy [Fri, 11 Aug 2017 06:34:45 +0000 (08:34 +0200)]
Bug 19049: [QA Follow-up] Mock config, default format

As requested by QA:
[1] Mock_config enable_plugins in the test.
[2] Fallback to MARC when format is empty. Remove die statement.
Added:
[3] Remove $marc. This variable got obsolete during development.
[4] Add test on $input_file and $plugin_class. Test $text before calling
    Handler or processing $text. No need to split undef if somehow Handler
    returned undef, etc. If the routine returns an empty arrayref,
    stage-marc-import will do fine.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit a423fcff42da05e9ebf9f2b4a2f192023346e93e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f067450d8011fb0a27a28524bec359ffad4f2278)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19049 [QA Followup] - Make plugin name first item in description
Kyle M Hall [Thu, 10 Aug 2017 13:02:37 +0000 (09:02 -0400)]
Bug 19049 [QA Followup] - Make plugin name first item in description

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d8f6315b6d9b1c7145f6036b55b7927f6d6e6e48)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5699df9deed09edbaa3db1087f3e453c28ac1091)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19049: [Follow-up] Make sure that GetPlugins finds the plugin
Marcel de Rooy [Thu, 10 Aug 2017 11:02:23 +0000 (13:02 +0200)]
Bug 19049: [Follow-up] Make sure that GetPlugins finds the plugin

We have to mock_config the pluginsdir before Plugins is loaded, and
we should pass an absolute path (not a relative one).
If you did not install the test to_marc plugin, this test would fail.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Verified patch is compatible with original KitchenSink to_marc plugin

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0987b135ea0bb8fbd4fc39643b19715dc6e3a1c8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 3bbb89c57181c113d64ec7649195de30b52d0806)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19049: Testing RecordsFromMarcPlugin with a to_marc plugin
Marcel de Rooy [Tue, 8 Aug 2017 12:51:41 +0000 (14:51 +0200)]
Bug 19049: Testing RecordsFromMarcPlugin with a to_marc plugin

This patch adds a simple to_marc plugin in t/Koha/Plugin that is used
in the added subtest in ImportBatch.t.

Test plan:
[1] Run t/db_dependent/ImportBatch.t
[2] Copy the to_marc test plugin from t to your plugin directory.
    Under Debian packages, you should do something like:
    mkdir -p /var/lib/koha/master/plugins/Koha/Plugin/
    cp [yourclone]/t/Koha/Plugin/MarcFieldValues.pm /var/lib/koha/master/plugins/Koha/Plugin/
[3] Check if you see this plugin on plugins/plugins-home.pl
[4] Create a text file with some fields like:
    (Note: The plugin needs an empty line between both "records".)
    100,a = Test Author 1
    245,a = Title One

    100,a = Author 2
    245,a = Title Two
[5] Go to stage-marc-import.pl. Upload the created file. Select the plugin
    in the format combo and proceed. Did you create two records ?

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 83f60adbab8e96f0f14ec547029582623ac3a068)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c6e3f2ac0575849a0b48170506a4986a50ac8bf1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19049: Fix regression on stage-marc-import with to_marc plugin
Marcel de Rooy [Mon, 7 Aug 2017 19:24:48 +0000 (21:24 +0200)]
Bug 19049: Fix regression on stage-marc-import with to_marc plugin

Bug 12412 added the use of to_marc plugins allowing arbitrary file formats
in stage-marc-import (as long as the plugins can handle them). The feature
was not very visible in the code, and when bug 10407 added the marcxml
format, it made some changes that broke the use of to_marc.

This patch restores the functionality by:
[1] Adding a sub RecordsFromMarcPlugin to ImportBatch.pm, specifically
    addressing the conversion from arbitrary formats to MARC::Record.
    The original to_marc interface is used: pass it the file contents,
    and it returns a string consisting of a number of MARC blobs separated
    by \x1D.
    Consequently, the call of to_marc is removed from routine
    BatchStageMarcRecords where it did not belong. The to_marc_plugin
    parameter is removed and two calls are adjusted accordingly.
[2] Instead of a separate combo with plugins, the format combo contains
    MARC, MARCXML and optionally some plugin formats.
[3] The code in stage-marc-import.pl now clearly shows the three main
    format types: MARC, MARCXML or plugin based.

Note: This patch restores more or less the situation after bug 12412, but
I would actually recommend to have the to_marc plugins return MARC::Record
objects instead of large text strings. In the second example I added a
to_marc plugin that actually converts MARC record objects to string format,
while RecordsFromMarcPlugin reconverts them to MARC::Records.

Test plan:
See second patch.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d24568b67256fab79b42ead54302c76d1c9653d7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4dd020a3019cd7e2b357153ec737b15eea95f671)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19053: Keep auto_renew flag if a confirmation is needed
Jonathan Druart [Mon, 7 Aug 2017 16:50:32 +0000 (13:50 -0300)]
Bug 19053: Keep auto_renew flag if a confirmation is needed

If an item is checked out with the auto renewal flag and a confirmation
is needed (holds exist, past due date, etc.) the auto renewal flag will
get lost.

Test plan:
- Check an item out and specify a past due date
- Confirm the checkout on the confirmation screen
=> Without this patch the checkout is not marked as auto renewal
=> With this patch applied the auto renewal flag will be set to the
checkout

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3808dbc1d22b3adc43a09ba7ce00aaca01f95f5a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8f3a7d800271cb2611de0cb369e907b16c30fb0b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18624: Minor refactoring to ease testing
Tomas Cohen Arazi [Mon, 7 Aug 2017 19:07:40 +0000 (16:07 -0300)]
Bug 18624: Minor refactoring to ease testing

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ff41b87302c1b242f9edd7b2e8c253bd18b57ac1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4c50a19ab920b488193d78ee18d89bb143ddae4a)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 16976 - Unit tests
Nick Clemens [Fri, 7 Jul 2017 17:55:50 +0000 (17:55 +0000)]
Bug 16976 - Unit tests

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 07c0d968b70421852ac4915633fa7f3cbd0d18cd)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a0bc776e67569b83dc3d5bc47069ceb1408badb2)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 16976 - Authorities searches with double quotes gives ZOOM error 20003 [Alternate]
Nick Clemens [Fri, 16 Jun 2017 10:36:22 +0000 (06:36 -0400)]
Bug 16976 - Authorities searches with double quotes gives ZOOM error 20003 [Alternate]

I dug into this a little bit, it seems the issue is that we were double
processing the query because of an extra call to
C4::AuthoritiesMarc::SearchAuthorities

I think we can simply remove this call

To test:
1 - Perform an authority search for a value that returns results
2 - Wrap it in quotes and search
3 - 'Internal server error'
4 - Apply patch
5 - Search with quotes succeeds

https://bugs.koha-community.org/show_bug.cgi?id=16796

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 9c8a04acb05466356fec8e9d6d13183295719c7d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 39a2f6421e3d0b2c415ad9abc655193357e24328)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18331: POST_CHOMP everywhere!
Jonathan Druart [Mon, 14 Aug 2017 13:26:48 +0000 (10:26 -0300)]
Bug 18331: POST_CHOMP everywhere!

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3c6168d37436b7312e130f796d47271ff2de77cf)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4c86b575b2ef09cceefa9a2718053e45a71c2b25)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18331: Followup - fix path to orders_by_budget csv header
Josef Moravec [Tue, 8 Aug 2017 08:23:57 +0000 (08:23 +0000)]
Bug 18331: Followup - fix path to orders_by_budget csv header

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 14484ba4234fd1cbb925b5f3a4844da863c65d5a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c6a3c7c39babf64ad916650277ab752e54072916)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18331: Followup - Fix CSV export (once and for all!)
Lee Jamison [Fri, 4 Aug 2017 19:27:22 +0000 (19:27 +0000)]
Bug 18331: Followup - Fix CSV export (once and for all!)

Follow-up on Comment 21 to correct the empty_line.inc
include in basket.tt

https://bugs.koha-community.org/show_bug.cgi?id=18331

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 2ee4e0ac381ed23fa23b1117725b2f6a0e0db4de)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ad4c173bca27de2b05a1c47a3977212f72654c40)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18331: Force tt to insert newline to empty_line.inc
Marc Véron [Thu, 3 Aug 2017 15:50:30 +0000 (17:50 +0200)]
Bug 18331: Force tt to insert newline to empty_line.inc

See end of comment #4 and IRC:
http://irc.koha-community.org/koha/2017-08-03#i_1958062

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit a10e5383016a5cb4117719ac858cbe02a53e457b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c4e608d29954195f01ea170ff06d7e8da4814707)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18331: Fix CSV export (once and for all!)
Jonathan Druart [Mon, 12 Jun 2017 20:04:47 +0000 (17:04 -0300)]
Bug 18331: Fix CSV export (once and for all!)

I am going to try and explain the problem here in order to make it a
have-to-read for next changes.

There are several things to test when and most of the time we break
something when we try to fix something else.

You have to test different CSV export, not only one. There are not all
processed the same way. For instance acqui/csv/basket.tt does not
contain any strings to translate and the translate script will copy the
original file as it.
But reports/csv/orders_by_budget.tt will not! Indeed it contains "TOTAL"
which will be translated. The generated tt file for the translated
language will remove all the carriage returns! That's why we cannot rely
on TT for newlines (contrary to bug 16914 assumption).

There are two possible methods:
1/ Fix the translate script
=> Hum... nope
2/ Remove all carriage returns and make them explicit by including an
file that only contains 1 carriage return

This second method is implemented in this patch.

How it works: Use the PRE_CHOMP "[%-" and POST_CHOMP "-%]"
(http://www.template-toolkit.org/docs/manual/Config.html#section_PRE_CHOMP_POST_CHOMP)
to remove all the newlines that could be added by TT in the original
(en) files. Then include the new_line.inc to add a new line.
That way original and translated files will behave the same way.
The BLOCK in the csv_headers avoid to have the newlines added, in any
cases. For instance: by default we will have an empty line at the end of
the headers, but the translated headers will not have it.

Test plan:
At least 2 signoffs will be needed, please test carefully!
You will need to generate CSV with at least 2 entries!
Test with the non-translated interface (en) and with the language you
want. To test with a translated language you will *have to*:
- cd misc/translator
- perl translate update LANG
- manually edit the po file, remove the fuzzy tags, correctly translate
the string (do not forget the additional %s in the headers)
- perl translate install LANG
1/ Export basket and basketgroup as CSV
2/ Export late orders as CSV
3/ Export items (from the item search) as CSV
4/ Export the 2 reports "Orders by fund" and "Cash register" as CSV

Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 8403799c7212349bee70090249e3425afd62423b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5b1c9cd3f27d377ddee5635f32fd1a3e2626409c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoUpdate release notes with security bugs v16.11.11-1
Katrin Fischer [Wed, 23 Aug 2017 19:12:45 +0000 (21:12 +0200)]
Update release notes with security bugs

7 years agoAdd release notes for Koha 16.11.11 v16.11.11
Koha instance kohadev-koha [Wed, 23 Aug 2017 18:15:13 +0000 (18:15 +0000)]
Add release notes for Koha 16.11.11

7 years agoMerge remote-tracking branch 'transl/16.11.11-translate-20170823' into 16.11.x
Katrin Fischer [Wed, 23 Aug 2017 18:04:00 +0000 (20:04 +0200)]
Merge remote-tracking branch 'transl/16.11.11-translate-20170823' into 16.11.x

7 years agoTranslation updates for Koha 16.11.11
root [Wed, 23 Aug 2017 17:51:49 +0000 (14:51 -0300)]
Translation updates for Koha 16.11.11

7 years agoIncrement version for 16.11.11 security release
Katrin Fischer [Wed, 23 Aug 2017 17:51:09 +0000 (19:51 +0200)]
Increment version for 16.11.11 security release

7 years agoBug 16069 - XSS issue in basket.pl page
Amit Gupta [Sun, 20 Aug 2017 15:23:06 +0000 (20:53 +0530)]
Bug 16069 - XSS issue in basket.pl page

1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx<script>alert('amit')</script>
   xx - is a basketno
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx<script>alert('amit')</script>
   xx - is a basketno.
5. Notice it is no longer executed.

Fix for 16.11.x

7 years agoBug 18726: Fix XSS at the OPAC - biblionumber
Jonathan Druart [Wed, 9 Aug 2017 17:08:24 +0000 (14:08 -0300)]
Bug 18726: Fix XSS at the OPAC - biblionumber

The biblionumber parameter is sent by the user, we must escape all of
them to avoid XSS.

Fixes: Cross-site scripting OPAC pages
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19078 - XSS Flaws in System preferences
Amit Gupta [Thu, 10 Aug 2017 16:21:38 +0000 (21:51 +0530)]
Bug 19078 - XSS Flaws in System preferences

1. Hit /cgi-bin/koha/admin/preferences.pl
2. Enter <script>alert('amit')</script> in search system preferences box.
3. Notice the java script is executed.
4. Apply patch.
5. Reload page, and enter <script>alert('amit')</script> in search system preferences box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19054 - XSS Flaws in Report - Top Most-circulated items
Amit Gupta [Mon, 7 Aug 2017 17:04:05 +0000 (22:34 +0530)]
Bug 19054 - XSS Flaws in Report - Top Most-circulated items

1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19052 - XSS Flaws in - Invoice search page
Amit Gupta [Mon, 7 Aug 2017 16:47:14 +0000 (22:17 +0530)]
Bug 19052 - XSS Flaws in - Invoice search page

1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19052 - XSS Flaws in vendor search page
Amit Gupta [Mon, 7 Aug 2017 16:34:30 +0000 (22:04 +0530)]
Bug 19052 - XSS Flaws in vendor search page

1. Hit /cgi-bin/koha/acqui/booksellers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> vendor search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on vendor search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19051 - XSS Flaws in - Batch item modification page
Amit Gupta [Mon, 7 Aug 2017 16:13:56 +0000 (21:43 +0530)]
Bug 19051 - XSS Flaws in - Batch item modification page

1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19051 - XSS Flaws in Batch item deletion page
Amit Gupta [Mon, 7 Aug 2017 15:54:44 +0000 (21:24 +0530)]
Bug 19051 - XSS Flaws in Batch item deletion page

1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19051 - XSS Flaws in - Batch record deletion page
Amit Gupta [Mon, 7 Aug 2017 15:38:36 +0000 (21:08 +0530)]
Bug 19051 - XSS Flaws in - Batch record deletion page

1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19050 - XSS Flaws in Quick spine label creator
Amit Gupta [Mon, 7 Aug 2017 15:19:56 +0000 (20:49 +0530)]
Bug 19050 - XSS Flaws in Quick spine label creator

1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19034: (followup 2) Fix letters.tt XSS flaw
Jonathan Druart [Tue, 15 Aug 2017 16:26:12 +0000 (13:26 -0300)]
Bug 19034: (followup 2) Fix letters.tt XSS flaw

7 years agoBug 19034: (followup) Fix letters.tt XSS flaw
Tomas Cohen Arazi [Mon, 7 Aug 2017 14:27:33 +0000 (11:27 -0300)]
Bug 19034: (followup) Fix letters.tt XSS flaw

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 years agoBug 19034: XSS Flaws in Z39.50/SRU servers administration
Amit Gupta [Fri, 4 Aug 2017 05:11:49 +0000 (10:41 +0530)]
Bug 19034: XSS Flaws in Z39.50/SRU servers administration

1. Hit /cgi-bin/koha/admin/z3950servers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search Z39.50/SRU servers box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search Z39.50/SRU servers box.
6. Notice it is no longer executed.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 years agoBug 19034: XSS Flaws in Cities
Amit Gupta [Fri, 4 Aug 2017 05:08:12 +0000 (10:38 +0530)]
Bug 19034: XSS Flaws in Cities

1. Hit /cgi-bin/koha/admin/cities.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search cities box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search cities box.
6. Notice it is no longer executed.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 years agoBug 19034: XSS Flaws in Patron categories pages
Amit Gupta [Fri, 4 Aug 2017 05:04:19 +0000 (10:34 +0530)]
Bug 19034: XSS Flaws in Patron categories pages

1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
7 years agoBug 19033: XSS Flaws in Currencies and exchange page
Amit Gupta [Fri, 4 Aug 2017 04:14:52 +0000 (09:44 +0530)]
Bug 19033: XSS Flaws in Currencies and exchange page

1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.

7 years agoBug 19079 - XSS Flaws in Membership page
Amit Gupta [Fri, 11 Aug 2017 15:38:14 +0000 (21:08 +0530)]
Bug 19079 - XSS Flaws in Membership page

1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
   xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
   xx - is a borrowernumber.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 years agoBug 19105 - XSS Stored in holidays.pl
Amit Gupta [Tue, 15 Aug 2017 03:53:13 +0000 (09:23 +0530)]
Bug 19105 - XSS Stored in holidays.pl

To Test
1. Hit the page /cgi-bin/koha/tools/holidays.pl
2. Select the date
3. Add a text in the field Title and Description that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Fixed for all holidays

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19100 - XSS Flaws in memberentry.pl
Amit Gupta [Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)]
Bug 19100 - XSS Flaws in memberentry.pl

1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid.
5. Notice it is no longer executed.

NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19110 - XSS Stored in branches.pl
Amit Gupta [Tue, 15 Aug 2017 09:30:55 +0000 (15:00 +0530)]
Bug 19110 - XSS Stored in branches.pl

To Test
1. Hit the page /cgi-bin/koha/admin/branches.pl?op=add_form_category
2. Add a text in the field Name and description that contains js.
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for js escaped execute for both pages

1. /cgi-bin/koha/admin/branches.pl?op=delete_confirm&branchcode=xx
   xx is branchcode
2. /cgi-bin/koha/admin/branches.pl?op=add_form with Group(s):

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19112 - Stored XSS in basketheader.pl page
Amit Gupta [Tue, 15 Aug 2017 14:21:48 +0000 (19:51 +0530)]
Bug 19112 - Stored XSS in basketheader.pl page

To Test

1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.

Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19114 - Stored XSS in parcels.pl
Amit Gupta [Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)]
Bug 19114 - Stored XSS in parcels.pl

Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
   xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 19035 - Stored XSS in lists.pl
Amit Gupta [Tue, 15 Aug 2017 03:03:41 +0000 (08:33 +0530)]
Bug 19035 - Stored XSS in lists.pl

To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 18976: [16.11] Add missing use statement
Jonathan Druart [Tue, 1 Aug 2017 11:30:20 +0000 (08:30 -0300)]
Bug 18976: [16.11] Add missing use statement

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 years agoBug 18976: (follow-up) Fix t/db_dependent/Search/History.t cleanup
Lari Taskula [Mon, 24 Jul 2017 15:16:25 +0000 (18:16 +0300)]
Bug 18976: (follow-up) Fix t/db_dependent/Search/History.t cleanup

Same problem in t/db_dependent/Search/History.t.

To replicate:
1. Check the row count of borrowers, branches, categories, sessions, sms_providers
   tables
2. prove t/db_dependent/Search/History.t
3. Repeat step 1
4. Observe borrowers the following tables have increased in row count:
   - borrowers
   - branches
   - categories
   - sessions
   - sms_providers

To test:
1. Before applying the patch, go through steps at "To replicate" plan
2. Apply patch
3. Go through steps at "To replicate" plan
4. Observe step 4 no longer applies and those tables have the same number of
   rows as before executing the test.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 years agoBug 18976: Fix t/db_dependent/Auth.t cleanup
Lari Taskula [Mon, 24 Jul 2017 13:43:18 +0000 (16:43 +0300)]
Bug 18976: Fix t/db_dependent/Auth.t cleanup

Test t/db_dependent/Auth.t seems to have an ineffective test data cleanup.
Data generated by TestBuilder is left in borrowers, branches, categories,
sms_providers and sessions tables after the test.

To replicate:
1. Check the row count of borrowers, branches and categories tables
2. prove t/db_dependent/Auth.t
3. Repeat step 1
4. Observe borrowers the following tables have increased in row count:
   - borrowers
   - branches
   - categories
   - sessions
   - sms_providers

To test:
1. Before applying the patch, go through steps at "To replicate" plan
2. Apply patch
3. Go through steps at "To replicate" plan
4. Observe step 4 no longer applies and those tables have the same number of
   rows as before executing the test.

This issue has been happening in REST tests as well, and this solution is
directly copy-pasted from t/db_dependent/api/v1/cities.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
7 years agoBug 18632: Remove 'CGI::param called in list context' warnings
Jonathan Druart [Thu, 18 May 2017 20:42:02 +0000 (17:42 -0300)]
Bug 18632: Remove 'CGI::param called in list context' warnings

Once again, after bug 16154 and bug 16259 we need to remove more
occurrence of CGi->param called in list context.
Refer to bug 15809 for more information.

Test plan:
Make sure you do not see the error on the modified scripts.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 18685: (bug 18551 follow-up) Fix patron toolbar
Jonathan Druart [Mon, 12 Jun 2017 14:38:59 +0000 (11:38 -0300)]
Bug 18685: (bug 18551 follow-up) Fix patron toolbar

Bug 18551 moves the way the filters are displayed and so the position of
the patron toolbar must be recalculated.

Test plan:
Edit patron's detail
open the filters, scrolldown
close the filters, scrolldown
=> The toolbar must be correctly placed

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
(cherry picked from commit 6ae6d4bcb5238b1ffc0a22cc1d83ac05ba982b92)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a0043ec80d11d718b8ea13e69879e7d4309d011e)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18551: [16.11.x] followup - hide advanced filters in header, move hidding to...
Josef Moravec [Tue, 9 May 2017 13:33:52 +0000 (13:33 +0000)]
Bug 18551: [16.11.x] followup - hide advanced filters in header, move hidding to css file

Test plan:
The same as first patch, but also with advanced search form in header hidden
on page load - see comment 4

Issue with advanced search form is gone.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Philippe <philippe.audet-fortin@inlibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
7 years agoBug 18951: Adjust Isbd.t
Marcel de Rooy [Wed, 19 Jul 2017 11:59:45 +0000 (13:59 +0200)]
Bug 18951: Adjust Isbd.t

Add schema calls.
Remove an unneeded AddBiblio call.

Test plan:
Run t/db_dependent/Biblio/Isbd.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 40c719a5248877d200920c2c9a028e273a5f1370)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ce8ddbf8ea7d463a822a70f474310b8b618d6347)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18951: Create data for TransformKohaToMarc.t
Marcel de Rooy [Wed, 19 Jul 2017 11:48:55 +0000 (13:48 +0200)]
Bug 18951: Create data for TransformKohaToMarc.t

Adding schema and caching statements.
Adjust it so that the Koha to MARC mappings are not assumed to be present,
but are created as needed.
Remove the mock on marcflavour. It is no longer needed.
Resolving a small typo.

Test plan:
Run t/db_dependent/Biblio/TransformKohaToMarc.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit f839955db707415368d23ae81bdb14505dd058ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 36c3bbedfe80a1a55f34aedb6931784da1043c84)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18951: Some t/Biblio tests are database dependent (git mv)
Marcel de Rooy [Wed, 19 Jul 2017 11:33:34 +0000 (13:33 +0200)]
Bug 18951: Some t/Biblio tests are database dependent (git mv)

Move Isbd.t and TransformKohaToMarc.t to db_dependent.
Next patch will add a few adjustments too.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 50bc4170cec172de04db2033d464c96348d5a508)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 216b13e51fbdaa0ede2eb3218338f955c6c2aa48)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18361: [SQUASHED FOR 16.11] Koha::Objects->find should accept composite primary...
Marcel de Rooy [Fri, 31 Mar 2017 11:52:15 +0000 (13:52 +0200)]
Bug 18361: [SQUASHED FOR 16.11] Koha::Objects->find should accept composite primary keys

Changes the $id parameter to an array. (IssuingRule has three keys.)
The build_object method in TestBuilder.pm has been adjusted to pass
multiple primary key values to find.

Also adjusted the POD section to show more clearly that we accept
the same parameters as DBIx ResultSet does.

Test plan:
Run t/db_dependent/Koha/Object.t
Run t/db_dependent/Koha/Objects.t
Run t/db_dependent/TestBuilder.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18361: Additional tests for Koha::Objects->find

Adding a subtest find in t/db_dependent/Koha/Objects.t.

Test plan:
Run t/db_dependent/Koha/Objects.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18361: (QA followup) Add tests for the no params case

This patch adds a test for the trivial case in which no param is passed
and the ->find method returns undef.

For completeness purposes.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Bug 18361: [QA Follow-up] Resolve warning on undef values supplied

The following warning was raised in Letters.t:
DBIx::Class::ResultSource::_minimal_valueset_satisfying_constraint():
NULL/undef values supplied for requested unique constraint 'primary' (NULL
values in column(s): 'id'). This is almost certainly not what you wanted,
though you can set DBIC_NULLABLE_KEY_NOWARN to disable this warning.

This warning is triggered by this line in C4/Letters.pm:
    Koha::SMS::Providers->find( $member->{'sms_provider_id'} );
As you already guessed, the sms_provider_id returns undef.

Resolved in sub find by testing if there are parameters and if so, they
should not be all undefined. (In most cases there will be only one
parameter; but this report is about composite keys.)

Added a trivial test case in Objects.t too.

Test plan:
Run t/db_dependent/Koha/Object.t
Run t/db_dependent/Koha/Objects.t
Run t/db_dependent/Letters.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
7 years agoBug 18539 - Follow-up - RMaint missed a merge marker...
Katrin Fischer [Wed, 16 Aug 2017 20:38:57 +0000 (22:38 +0200)]
Bug 18539 - Follow-up - RMaint missed a merge marker...

7 years agoBug 18539: remove occurrence in ReNewSubscription.t
Jonathan Druart [Thu, 15 Jun 2017 18:46:17 +0000 (15:46 -0300)]
Bug 18539: remove occurrence in ReNewSubscription.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ad7ff09b995e5275f2c6d664b31351321b1674af)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6e26bd0567c29b990eb8c786c2dc530afdd8b598)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18539: Forbid list context calls for Koha::Objects->find
Jonathan Druart [Tue, 18 Apr 2017 16:49:18 +0000 (13:49 -0300)]
Bug 18539: Forbid list context calls for Koha::Objects->find

Reading https://perlmaven.com/how-to-return-undef-from-a-function
this sound like the more correct behaviour.

Considering:
$template->param(
    stuff => Koha::Stuffs->find( $id ),
    foo   => 1,
);
without this patch, if the $id does not represent any rows in the DB,
stuff will be assigned to 'foo' and $foo will be undef in the template.
That can lead to very bad side-effects.

With this patch we make sure that it will never happen again.

Test plan:
  prove t/db_dependent/Koha/Objects.t
should return green

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 15cbf14f4d4f8039ad7820ce37da202b19e0075d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5a2604144f114d242d7e4860603fd4811937f44c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18367 - (QA Followup) Only warn if doing a lookup and not having an item
Nick Clemens [Fri, 28 Jul 2017 11:38:33 +0000 (11:38 +0000)]
Bug 18367 - (QA Followup) Only warn if doing a lookup and not having an item

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 1b73cae6eb4ce7e7ca675d6db84fe8ce0cd2f499)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1da77ea584bcc2a2878106b6bc174b21bb0837ff)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18367 - Fix untranslatable string from Bug 18264
Nick Clemens [Tue, 11 Apr 2017 20:09:27 +0000 (16:09 -0400)]
Bug 18367 - Fix untranslatable string from Bug 18264

Restore display of message when no barcode found

To test:
1 - Go to course reserves
2 - Add an item to a course
3 - Try adding an invalid barcode - should get an alert
4 - Try force adding an item with itemnumber:
    http://localhost:8081/cgi-bin/koha/course_reserves/add_items.pl?op=lookpup&course_id=11&itemnumber=1234523546
5 - Should recieve an error

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 1fc3751804146e92c0d8d85517ffcd6ec338808e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 456e849ec29e9a5b1499ea8e492dc157b381f8d5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18991: [QA Follow-up] Use schema txn_begin and txn_rollback
Marcel de Rooy [Fri, 28 Jul 2017 09:58:24 +0000 (11:58 +0200)]
Bug 18991: [QA Follow-up] Use schema txn_begin and txn_rollback

We also need just one rollback at the end here.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit e5e5402f36c923775b341bd1900aa6468d42aa9a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9908a18e927c8b6f1d8c8959d070605f0680afa1)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18991: Fix cleanup in t/db_dependent/Log.t
Lari Taskula [Thu, 27 Jul 2017 14:56:18 +0000 (14:56 +0000)]
Bug 18991: Fix cleanup in t/db_dependent/Log.t

There is an action_logs entry via logaction() without transaction to be rolled
back in t/db_dependent/Log.t. This leaves an entry in action_logs after
the test is over.

To replicate:
1. prove t/db_dependent/Log.t
2. Observe a new entry in action_logs table

To test:
1. Apply patch
2. prove t/db_dependent/Log.t
3. Observe there are no new entries in action_logs

Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit f49f5a67d3512ea75d92cb551ebd79a9de7e53d7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2af6365fc66a0dcb6246d90432c3998bac8bf43f)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 19000: Fix typo in closing p tag for items
Marcel de Rooy [Fri, 28 Jul 2017 05:56:21 +0000 (07:56 +0200)]
Bug 19000: Fix typo in closing p tag for items

Close the p tag and add a br tag to visually divide the two sections
Data problems and Warnings regarding system configuration.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Discovered the problem when testing a duplicate key in deleteditems.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3c87b6f387831053e01ecc86b91d61669af9696b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 37097ee7f6f462193eefd4d51d4142b6ce59a8a9)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
7 years agoBug 18545: Re-add call to enableCheckboxActions
Jonathan Druart [Mon, 24 Jul 2017 17:25:21 +0000 (14:25 -0300)]
Bug 18545: Re-add call to enableCheckboxActions

This call is used to refresh the page correctly

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 37fc0d817d46d21897015a8e1df754b59ba477a6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2586f7f8462a28dc7f3078576ac2b9faa40e426c)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>