From e1905b08362472ed94dac09d6f9ff2163b5ddf7a Mon Sep 17 00:00:00 2001 From: Aleisha Amohia Date: Tue, 5 Sep 2017 22:34:18 +0000 Subject: [PATCH] Bug 19258: Prevent warns when writing off an individual fine The following warns are triggered when I click the Write Off button next to an individual fine or charge: CGI::param called in list context from package CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 171, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436. (this shows many times) Use of uninitialized value in subroutine entry at /usr/share/perl5/URI/Escape.pm line 184. To test: 1) Go to a members detail page in staff side and create a manual invoice 2) Go to the pay fines tab, click the Write off button next to the invoice you just created 3) Notice warns 4) Apply patch and repeat steps 1 & 2 5) Warns should be gone Sponsored-by: Catalyst IT Signed-off-by: Mark Tompsett Signed-off-by: Jonathan Druart Signed-off-by: Jonathan Druart (cherry picked from commit 693cc1122b2b96ef2fc176b07371a4608104eaaf) Signed-off-by: Fridolin Somers --- members/pay.pl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/members/pay.pl b/members/pay.pl index 3400ee0667..a872214c01 100755 --- a/members/pay.pl +++ b/members/pay.pl @@ -159,7 +159,10 @@ sub add_accounts_to_template { sub get_for_redirect { my ( $name, $name_in, $money ) = @_; my $s = q{&} . $name . q{=}; - my $value = uri_escape_utf8( $input->param($name_in) ); + my $value; + if (defined $input->param($name_in)) { + $value = uri_escape_utf8( scalar $input->param($name_in) ); + } if ( !defined $value ) { $value = ( $money == 1 ) ? 0 : q{}; } @@ -187,7 +190,7 @@ sub redirect_to_paycollect { $redirect .= get_for_redirect( 'notify_id', "notify_id$line_no", 0 ); $redirect .= get_for_redirect( 'notify_level', "notify_level$line_no", 0 ); $redirect .= get_for_redirect( 'accountlines_id', "accountlines_id$line_no", 0 ); - $redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( $input->param("payment_note_$line_no") ); + $redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( scalar $input->param("payment_note_$line_no") ); $redirect .= '&remote_user='; $redirect .= $user; return print $input->redirect($redirect); -- 2.39.5