From 45aa375aae1ab7c1ca453ad838b37160371df845 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Sun, 28 Jul 2013 02:48:44 +0000 Subject: [PATCH] do some validation of the KohaOpacRecentSearches cookie Add validation of the value of the KohaOpacRecentSearches. In particular, this patch avoids the generation of an internal server error when the OPAC is presented with an old cookie that uses the old Storable-based serialization. This patch also moves parsing of the cookie value into a new routine in C4::Auth, ParseSearchHistoryCookie, and adds a test case. To test (in conjunction with the previous patch): Exercise the OPAC search history functionality, after turning on the EnableOpacSearchHistory syspref: - As an anonymous user, conduct a variety of searches, including ones that include non-ASCII characters - Check the search history and verify that all searches are listed - Apply this patch and the previous one. - Do *not* clear the KohaOpacRecentSearches cookie - Check the search history and verify that no searches are listed any more - As an anonymous user, conduct a variety of searches, including ones that include non-ASCII characters - Check the search history and verify that all searches are listed - Log into the OPAC - Verify that current and past searches are listed in search history. Signed-off-by: Galen Charlton --- C4/Auth.pm | 27 ++++++++++--------- opac/opac-search-history.pl | 8 ++---- opac/opac-search.pl | 13 ++-------- t/Auth_ParseSearchHistoryCookie.t | 43 +++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 29 deletions(-) create mode 100644 t/Auth_ParseSearchHistoryCookie.t diff --git a/C4/Auth.pm b/C4/Auth.pm index 1a1eda83e9..dbed7b8add 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -41,7 +41,9 @@ BEGIN { $debug = $ENV{DEBUG}; @ISA = qw(Exporter); @EXPORT = qw(&checkauth &get_template_and_user &haspermission &get_user_subpermissions); - @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &get_all_subpermissions &get_user_subpermissions); + @EXPORT_OK = qw(&check_api_auth &get_session &check_cookie_auth &checkpw &get_all_subpermissions &get_user_subpermissions + ParseSearchHistoryCookie + ); %EXPORT_TAGS = (EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)]); $ldap = C4::Context->config('useldapserver') || 0; $cas = C4::Context->preference('casAuthentication'); @@ -246,10 +248,7 @@ sub get_template_and_user { # And if there's a cookie with searches performed when the user was not logged in, # we add them to the logged-in search history - my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches'); - if ($searchcookie){ - $searchcookie = uri_unescape($searchcookie); - my @recentSearches = @{decode_json($searchcookie) || []}; + my @recentSearches = ParseSearchHistoryCookie($in->{'query'}); if (@recentSearches) { my $sth = $dbh->prepare($SEARCH_HISTORY_INSERT_SQL); $sth->execute( $borrowernumber, @@ -271,7 +270,6 @@ sub get_template_and_user { } } } - } else { # if this is an anonymous session, setup to display public lists... # load the template variables for stylesheets and JavaScript @@ -299,16 +297,11 @@ sub get_template_and_user { # Anonymous opac search history # If opac search history is enabled and at least one search has already been performed if (C4::Context->preference('EnableOpacSearchHistory')) { - my $searchcookie = $in->{'query'}->cookie('KohaOpacRecentSearches'); - if ($searchcookie){ - $searchcookie = uri_unescape($searchcookie); - my @recentSearches = @{decode_json($searchcookie) || []}; - # We show the link in opac + my @recentSearches = ParseSearchHistoryCookie($in->{'query'}); if (@recentSearches) { $template->param(ShowOpacRecentSearchLink => 1); } } - } if(C4::Context->preference('dateformat')){ if(C4::Context->preference('dateformat') eq "metric"){ @@ -1593,6 +1586,16 @@ sub getborrowernumber { return 0; } +sub ParseSearchHistoryCookie { + my $input = shift; + my $search_cookie = $input->cookie('KohaOpacRecentSearches'); + return () unless $search_cookie; + my $obj = eval { decode_json(uri_unescape($search_cookie)) }; + return () unless defined $obj; + return () unless ref $obj eq 'ARRAY'; + return @{ $obj }; +} + END { } # module clean-up code here (global destructor) 1; __END__ diff --git a/opac/opac-search-history.pl b/opac/opac-search-history.pl index 9331e6e8b7..35ec54e66f 100755 --- a/opac/opac-search-history.pl +++ b/opac/opac-search-history.pl @@ -20,7 +20,7 @@ use strict; use warnings; -use C4::Auth qw(:DEFAULT get_session); +use C4::Auth qw(:DEFAULT get_session ParseSearchHistoryCookie); use CGI; use JSON qw/decode_json encode_json/; use C4::Context; @@ -67,10 +67,7 @@ if (!$loggedinuser) { # Showing search history } else { - # Getting the cookie - my $searchcookie = $cgi->cookie('KohaOpacRecentSearches'); - if ($searchcookie && decode_json(uri_unescape($searchcookie))) { - my @recentSearches = @{decode_json(uri_unescape($searchcookie))}; + my @recentSearches = ParseSearchHistoryCookie($cgi); if (@recentSearches) { # As the dates are stored as unix timestamps, let's do some formatting @@ -93,7 +90,6 @@ if (!$loggedinuser) { $template->param(recentSearches => \@recentSearches); } } - } } else { # And if the user is logged in, we deal with the database diff --git a/opac/opac-search.pl b/opac/opac-search.pl index 488e98fa0d..d5a52ef2bd 100755 --- a/opac/opac-search.pl +++ b/opac/opac-search.pl @@ -28,7 +28,7 @@ use warnings; ## load Koha modules use C4::Context; use C4::Output; -use C4::Auth qw(:DEFAULT get_session); +use C4::Auth qw(:DEFAULT get_session ParseSearchHistoryCookie); use C4::Languages qw(getAllLanguages); use C4::Search; use C4::Biblio; # GetBiblioData @@ -475,16 +475,7 @@ for (my $i=0;$i<@servers;$i++) { # Opac search history my $newsearchcookie; if (C4::Context->preference('EnableOpacSearchHistory')) { - my @recentSearches; - - # Getting the (maybe) already sent cookie - my $searchcookie = $cgi->cookie('KohaOpacRecentSearches'); - if ($searchcookie){ - $searchcookie = uri_unescape($searchcookie); - if (decode_json($searchcookie)) { - @recentSearches = @{decode_json($searchcookie)}; - } - } + my @recentSearches = ParseSearchHistoryCookie($cgi); # Adding the new search if needed if (!$borrowernumber || $borrowernumber eq '') { diff --git a/t/Auth_ParseSearchHistoryCookie.t b/t/Auth_ParseSearchHistoryCookie.t new file mode 100644 index 0000000000..507ac91b71 --- /dev/null +++ b/t/Auth_ParseSearchHistoryCookie.t @@ -0,0 +1,43 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use Test::More tests => 3; + +use_ok('C4::Auth', qw/ParseSearchHistoryCookie/); + +my $valid_cookie = "%5B%7B%22time%22%3A1374978877%2C%22query_cgi%22%3A%22idx%3D%26q%3Dhistory%26branch_group_limit%3D%22%2C%22total%22%3A2%2C%22query_desc%22%3A%22kw%2Cwrdl%3A%20history%2C%20%22%7D%5D"; +my $expected_recent_searches = [ + { + 'time' => 1374978877, + 'query_cgi' => 'idx=&q=history&branch_group_limit=', + 'total' => 2, + 'query_desc' => 'kw,wrdl: history, ' + } +]; + +my $input = CookieSimulator->new($valid_cookie); +my @recent_searches = ParseSearchHistoryCookie($input); +is_deeply(\@recent_searches, $expected_recent_searches, 'parsed valid search history cookie value'); + +# simulate bit of a Storable-based search history cookie +my $invalid_cookie = "%04%08%0812345"; +$input = CookieSimulator->new($invalid_cookie); +@recent_searches = ParseSearchHistoryCookie($input); +is_deeply(\@recent_searches, [], 'got back empty search history list if given invalid cookie'); + +package CookieSimulator; + +sub new { + my ($class, $str) = @_; + my $val = [ $str ]; + return bless $val, $class; +} + +sub cookie { + my $self = shift; + return $self->[0]; +} + +1; -- 2.39.5