From e05e8762ad34cf4cc5b6aa1754f99dc6cf3468bf Mon Sep 17 00:00:00 2001 From: Aleisha Amohia Date: Tue, 5 Sep 2017 22:38:12 +0000 Subject: [PATCH] Bug 19258: Preventing warns when paying a fine or charge from Pay selected button The following warns are triggered when I click the Pay selected button: CGI::param called in list context from package CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 267, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at usr/share/perl5/CGI.pm line 436. CGI::param called in list context from package CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 273, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436. To test: 1) Go to a members detail page in staff side and create a manual invoice 2) Go to the pay fines tab, select the fine you just created and click Pay selected 3) Notice warns 4) Apply patch and repeat steps 1 & 2 5) Warns should be gone Sponsored-by: Catalyst IT Signed-off-by: Mark Tompsett Signed-off-by: Jonathan Druart Signed-off-by: Jonathan Druart (cherry picked from commit ddf494b18f6c422d3654b0a78a63be86f5356065) Signed-off-by: Fridolin Somers --- members/pay.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/members/pay.pl b/members/pay.pl index a872214c01..529572d3f5 100755 --- a/members/pay.pl +++ b/members/pay.pl @@ -255,13 +255,13 @@ sub payselected { foreach (@params) { if (/^incl_par_(\d+)$/) { my $index = $1; - push @lines_to_pay, $input->param("accountlines_id$index"); + push @lines_to_pay, scalar $input->param("accountlines_id$index"); $amt += $input->param("amountoutstanding$index"); } } $amt = '&amt=' . $amt; my $sel = '&selected=' . join ',', @lines_to_pay; - my $notes = '¬es=' . join("%0A", map { $input->param("payment_note_$_") } @lines_to_pay ); + my $notes = '¬es=' . join("%0A", map { scalar $input->param("payment_note_$_") } @lines_to_pay ); my $redirect = "/cgi-bin/koha/members/paycollect.pl?borrowernumber=$borrowernumber" . $amt -- 2.39.5