From 9d6ca5e67ae657ff4957d759df4aaa11a2437b2c Mon Sep 17 00:00:00 2001
From: Chris Cormack <chris@bigballofwax.co.nz>
Date: Mon, 13 May 2024 02:26:13 +0000
Subject: [PATCH] Bug 36520: Sanitize input in opac-sendbasket.pl

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 opac/opac-sendbasket.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl
index 5708d67cc0..d9cfbe7f9e 100755
--- a/opac/opac-sendbasket.pl
+++ b/opac/opac-sendbasket.pl
@@ -60,6 +60,7 @@ if ( $email_add ) {
     my @bibs = split( /\//, $bib_list );
     my $iso2709;
     foreach my $bib (@bibs) {
+        $bib = int($bib);
         my $biblio = Koha::Biblios->find($bib) or next;
         $iso2709 .= $biblio->metadata->record->as_usmarc();
     }
-- 
2.39.5