From 94d3e6e713a6550004ead6f95953586ab814f982 Mon Sep 17 00:00:00 2001
From: Jared Camins-Esakov <jcamins@cpbibliography.com>
Date: Mon, 15 Oct 2012 11:45:38 -0400
Subject: [PATCH] Bug 3652: close XSS vulnerabilities on biblionumber and
 authid

Previously we did not sanitize biblionumber and authids passed in by
the user.

To test:
1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a
   valid biblionumber for the 2).
2) Notice the presence of "2hi" on this page, and also on the ISBD and
   MARC views.
3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye
   (substituting a valid authid for the 2).
4) Notice the presence of "2bye" on this page.
3) Apply patch.
4) Notice that "2hi" and "2bye" strings are gone.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
---
 opac/opac-ISBDdetail.pl        | 3 ++-
 opac/opac-MARCdetail.pl        | 3 ++-
 opac/opac-authoritiesdetail.pl | 2 +-
 opac/opac-detail.pl            | 1 +
 opac/opac-showmarc.pl          | 1 +
 5 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/opac/opac-ISBDdetail.pl b/opac/opac-ISBDdetail.pl
index 634dd859c4..f920c96809 100755
--- a/opac/opac-ISBDdetail.pl
+++ b/opac/opac-ISBDdetail.pl
@@ -67,7 +67,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     }
 );
 
-my $biblionumber = $query->param('biblionumber');
+my $biblionumber = $query->param('biblionumber') || $query->param('bib');
+$biblionumber = int($biblionumber);
 
 # get biblionumbers stored in the cart
 my @cart_list;
diff --git a/opac/opac-MARCdetail.pl b/opac/opac-MARCdetail.pl
index 2d9dc25241..f39f2d2083 100755
--- a/opac/opac-MARCdetail.pl
+++ b/opac/opac-MARCdetail.pl
@@ -57,10 +57,11 @@ my $query = new CGI;
 
 my $dbh = C4::Context->dbh;
 
-my $biblionumber = $query->param('biblionumber');
+my $biblionumber = $query->param('biblionumber') || $query->param('bib');
 my $itemtype     = &GetFrameworkCode($biblionumber);
 my $tagslib      = &GetMarcStructure( 0, $itemtype );
 my $biblio = GetBiblioData($biblionumber);
+$biblionumber = $biblio->{biblionumber};
 my $record = GetMarcBiblio($biblionumber, 1);
 if ( ! $record ) {
     print $query->redirect("/cgi-bin/koha/errors/404.pl");
diff --git a/opac/opac-authoritiesdetail.pl b/opac/opac-authoritiesdetail.pl
index 8d5367ffb3..688a9c5d19 100755
--- a/opac/opac-authoritiesdetail.pl
+++ b/opac/opac-authoritiesdetail.pl
@@ -66,7 +66,7 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     }
 );
 
-my $authid       = $query->param('authid');
+my $authid = $query->param('authid');
 my $record = GetAuthority( $authid );
 if ( ! $record ) {
     print $query->redirect("/cgi-bin/koha/errors/404.pl"); # escape early
diff --git a/opac/opac-detail.pl b/opac/opac-detail.pl
index a5f3e078ba..98cd4318af 100755
--- a/opac/opac-detail.pl
+++ b/opac/opac-detail.pl
@@ -69,6 +69,7 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
 );
 
 my $biblionumber = $query->param('biblionumber') || $query->param('bib');
+$biblionumber = int($biblionumber);
 
 my $record       = GetMarcBiblio($biblionumber);
 if ( ! $record ) {
diff --git a/opac/opac-showmarc.pl b/opac/opac-showmarc.pl
index 3638f8869d..f06d3cde0b 100755
--- a/opac/opac-showmarc.pl
+++ b/opac/opac-showmarc.pl
@@ -44,6 +44,7 @@ use XML::LibXML;
 
 my $input       = new CGI;
 my $biblionumber = $input->param('id');
+$biblionumber   = int($biblionumber);
 my $importid	= $input->param('importid');
 my $view		= $input->param('viewas') || 'marc';
 
-- 
2.20.1