Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.
---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.
For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").
This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).
Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...
SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.
Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Colin Campbell [Mon, 21 Feb 2011 16:18:59 +0000 (16:18 +0000)]
Bug 3550 : Display changes needed in opac-results-grouped too
Change to how subfield is derived had not been implemented in
opac-results-grouped causing ARRAY(hexnumber) to follow all titles
Replace template ref to scalar with an array
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Sat, 19 Feb 2011 06:51:17 +0000 (01:51 -0500)]
Bug 5782: Add warning when ordering a duplicate record from external source
Enhancement for Acquisitions/ordering from external source.
Koha already checked for duplicates, but this patch warns the user. Offers the choice to use existing record, use new record or return without making an order.
The new template is added for this interaction with the user.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Paul Poulain [Wed, 15 Dec 2010 19:29:50 +0000 (20:29 +0100)]
NormalizeString POD Fixing and variable renaming
POD was mistakenly telling that NFD was supposed to be the default
encoding. In fact, it is not, it is NFC.
So the variable $nfc to change to the not default encoding was misleading.
Renaming it into $nfd
(written by hdl)
Refactored by Chris Cormack
Signed-off-by: Davi <davi@gnu.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Mon, 14 Feb 2011 07:49:07 +0000 (07:49 +0000)]
Follow-up fix for Bug 5462, Fix variable names so we dont break template::toolkit
A change was made to MARCdetail.tmpl without making a corresponding
change to MARCdetail.pl. I've reworked the original change so that
both can work together.
0XX --> tab0XX
Apparently TMPL variables can't start with a number now?
MR: Recreated patch file to recover failure to apply.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Ian Walls [Sat, 12 Feb 2011 22:19:23 +0000 (17:19 -0500)]
Follow up on Bug 5462: fixing variable names breaks messaging preference form
The messaging prefs form was hardcoded to use 'transport-$transport_type', rather than
'transport_$transport_type'. The result was an uneditable messaging preferences form.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Sun, 13 Feb 2011 01:55:09 +0000 (20:55 -0500)]
Follow-up fix for Bug 5760 - Add the jquery table sorter to reading record
- Removing option to show 50 items/show all from script and template
- Adding parser to exclude articles in title sort (en only, see Bug 5766)
- Setting default sort to 'date due descending' as it was previously
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Fri, 11 Feb 2011 04:52:26 +0000 (23:52 -0500)]
Follow-up fix for Bug 2170 - Adding 'edititems' user-permission
Save button and duplicate confirmation redirects must respect
the edititems permission: Users without permission to edit items
should not be redirected to the edit items screen.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Thu, 10 Feb 2011 17:12:17 +0000 (17:12 +0000)]
Bug 5736: Fixing some zebra configuration errors in marc21/biblios/record.abs
Lines like melm 999 should ALWAYS follow the lines for subfields 999a, 999b etc.
This is currently not the case for 410 411 490 611 710 785 and 800.
Found this since I could not find back the contents of 710$9 fields.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
D Ruth Bavousett [Fri, 11 Feb 2011 01:22:27 +0000 (20:22 -0500)]
Bug 5230: Call number ranges in export don't give expected results.
If you entered low number and high number, you got only items that *exactly* matched either entry (if any).
If you enter only a low number, you got everying *lower* than that.
If you enter only a high number, you get everything *higher* than that.
This was a greater-than-less-than problem.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Koustubha Kale [Tue, 8 Feb 2011 15:49:00 +0000 (10:49 -0500)]
Adding id tags to some OPAC templates.
Many of the templates in OPAC, which deal with users data eg opac-account.tmpl, opac-passwd.tmpl etc do not have a id for the container div,
like opac-user.tmpl has an id userdetail. Having these id's makes it easier to customize with css.
This patch adds id's to most of the <div class="container"> tags.
Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Marcel de Rooy [Mon, 7 Feb 2011 14:27:58 +0000 (09:27 -0500)]
Bug 5701: Distinction between authors/additional authors in staff normal view (MARC21/XSLT)
At this time all entries in 100/110/111 and 700/710/711 are shown together.
We want to see the difference between an author and an added entry. (The 700
author could for instance be an illustrator.)
To this end we like to see the eventual relator code or term in $4 or $e too
(displayed between brackets after the name).
In the patch the code for authors is moved to a template routine at the end of
the xslt stylesheet.
Signed-off-by: Nicole Engard <nengard@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Mon, 7 Feb 2011 22:09:01 +0000 (17:09 -0500)]
Follow-up correction for Bug 5462 - Fix variable names for template::toolkit
Previous commit modified checks for the item-level_itypes preference
to look for a different variable name but didn't update where that
variable is set in Auth.pm.
Other scripts perform a direct check of item-level_itypes and must
continue to use the name of the variable in the database.
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Paul Poulain [Wed, 15 Dec 2010 19:38:23 +0000 (20:38 +0100)]
Bug 5700: MT4004 : additem.pl Some Status were not defaulted to the correct value Status 0 was lost because test was done on value and not on the fact that a value was defined or not. when value is 0 then it was not used as default value for
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Now if IndependantBranches is on and a user try to delete all items, only the items of his branch will be deleted.
A message explain this fact.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Followup: (MT #1365) Fixing up the English idiom Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
MT3947: items.timestamp were not updated on edition
If items.timestamp is used in the framework and hidden
the fact that it is NOT deleted before update is done would input the previous timestamp,
which is not the desired behaviour.
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Owen Leonard [Tue, 17 Aug 2010 16:58:33 +0000 (12:58 -0400)]
Fix for Bug 3319 - Need error message when adding patron and libraries are defined
- Hiding patron add toolbar when branches or categories are undefined
- Blocking patron entry form if branches or categories are undefined
- Removing nonfunctional template logic for displaying missing category
error message.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Bug 3212 Force leader 9 position to 'a' for new biblios
When Creating a new biblio record, if the cataloguer doesn't use the leader
plugin, a biblio record can be saved with a leader not containing a 'a' in 9
position. If the biblio contains UTF-8 characters, its decoding can fail.
This issue applies to MARC-21 not UNIMARC.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Colin Campbell [Mon, 31 Jan 2011 16:19:49 +0000 (16:19 +0000)]
Bug 5673: test guarantorid consistently
Incorrect checking of guarantorid was causing moremember.pl to
try and construct addresses using data from non-existent guarantors
ensure that test is consistently checking that value is defined and not
'', '0' or 0 [ i.e. what perl does for you anyway!!]
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>