From 4c3a6c39100947eda290f3f61d0be0733322843c Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Thu, 16 May 2024 07:19:30 +0000 Subject: [PATCH] Bug 36875: Do not pass unsanitized language to $page->translated_content Test plan: Try to access opac-page.pl with a language not in OPACLanguages. Verify that this 'language' was not passed to sql. Simplest perhaps by debugging AdditionalContent.pm. Something like: sub translated_content { my ( $self, $lang ) = @_; +warn "L137: $lang"; Now have a public additional_contents page and hit it: /cgi-bin/koha/opac-page.pl?page_id=5&language=badsql Check your log and find: [2024/05/16 07:25:53] [WARN] L137: en at [etc] line 137. So badsql was caught. Signed-off-by: Marcel de Rooy Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Martin Renvoize Signed-off-by: Katrin Fischer --- opac/opac-page.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/opac/opac-page.pl b/opac/opac-page.pl index 5854160dbb..0a35c21433 100755 --- a/opac/opac-page.pl +++ b/opac/opac-page.pl @@ -35,7 +35,6 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( ); my $page_id = $query->param('page_id'); -my $lang = $query->param('language'); my $homebranch = $ENV{OPAC_BRANCH_DEFAULT}; if (C4::Context->userenv) { @@ -49,7 +48,8 @@ if ( !$page || $page->category ne 'pages' || $page->branchcode && $page->branchc exit; } -my $content = $page->translated_content( $lang || C4::Languages::getlanguage($query) ); +# Sanitize $query->param('language') via getlanguage +my $content = $page->translated_content( C4::Languages::getlanguage($query) ); $template->param( page => $content ); -- 2.39.5