From 09ae62a758d44d669caf0ad095232af4287201a4 Mon Sep 17 00:00:00 2001
From: Andreas Roussos <arouss1980@gmail.com>
Date: Fri, 26 Jan 2018 14:12:47 +1300
Subject: [PATCH] Bug 20083 - Information disclosure when (mis)using the MARC
 Preview feature

The MARC Preview feature in the Staff client (catalogue/showmarc.pl) does not
check whether a user is logged in or not. As a consequence, it can be used to
obtain information that would normally be available to logged-in users only.
For example, you can view any bibliographic record by passing a value to the
'id' argument, but you can also view records as they were imported (normally
done via the 'Staged MARC management' tool).

All three 17.11 installations currently listed at
https://wiki.koha-community.org/wiki/Koha_Demo_Installations
are affected by this issue, as demonstrated by the URLs below:

http://koha.adminkuhn.ch:8080/cgi-bin/koha/catalogue/showmarc.pl?importid=1&viewas=html
http://pro.demo1711-koha.test.biblibre.eu/cgi-bin/koha/catalogue/showmarc.pl?id=1000&viewas=html
https://staff-kohademo.equinoxinitiative.org/cgi-bin/koha/catalogue/showmarc.pl?id=1&viewas=html

It should be noted that this only applies to XSLT-enabled installations.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 095a92a94e87cac0c8bdf79f2413fb72efb13f9e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 catalogue/showmarc.pl | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/catalogue/showmarc.pl b/catalogue/showmarc.pl
index a48a85260b..4d44748a22 100755
--- a/catalogue/showmarc.pl
+++ b/catalogue/showmarc.pl
@@ -37,6 +37,17 @@ use C4::ImportBatch;
 use C4::XSLT ();
 
 my $input= new CGI;
+my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
+  {
+    template_name   => "catalogue/showmarc.tt",
+    query           => $input,
+    type            => "intranet",
+    authnotrequired => 0,
+    flagsrequired   => { catalogue => 1  },
+    debug           => 1,
+  }
+);
+
 my $biblionumber= $input->param('id');
 my $importid= $input->param('importid');
 my $view= $input->param('viewas')||'';
@@ -70,16 +81,6 @@ if($view eq 'card' || $view eq 'html') {
           Encode::encode_utf8(C4::XSLT::engine->transform($xml, $xsl));
 }
 else {
-    my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
-      {
-        template_name   => "catalogue/showmarc.tt",
-        query           => $input,
-        type            => "intranet",
-        authnotrequired => 0,
-        flagsrequired   => { catalogue => 1  },
-        debug           => 1,
-      }
-    );
     $template->param( MARC_FORMATTED => $record->as_formatted );
     output_html_with_http_headers $input, $cookie, $template->output;
 }
-- 
2.39.5