From e99f7ad63f45f85e6e7d2f3080a960379e3e6f79 Mon Sep 17 00:00:00 2001 From: David Cook Date: Fri, 21 May 2021 06:52:25 +0000 Subject: [PATCH] Bug 28409: Comprehensively validate category in opac-shelves.pl Default to a category of 1 (ie Private). Only allow input of 1 or 2 (ie Public) == Test plan == 1. Go to http://localhost:8080/cgi-bin/koha/opac-shelves.pl?category=function(){window.location.href%20=%20%27https://git.koha-community.org/stats/koha-master/authors.html%27}() 2. Note that you are redirected to another website 3. Go to http://localhost:8080/cgi-bin/koha/opac-shelves.pl?op=add&shelfname=foo&category=9 4. Note that you can't see this list in the Lists (but it has been added to the database) 5. Apply the patch & restart services 6. Go to http://localhost:8080/cgi-bin/koha/opac-shelves.pl?category=function(){window.location.href%20=%20%27https://git.koha-community.org/stats/koha-master/authors.html%27}() 7. Note that you are not redirected to another website 8. Go to http://localhost:8080/cgi-bin/koha/opac-shelves.pl?op=add&shelfname=bar&category=9 9. Note that "bar" has been added as a Private list Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Kyle M Hall Signed-off-by: Jonathan Druart --- opac/opac-shelves.pl | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/opac/opac-shelves.pl b/opac/opac-shelves.pl index 483876188e..e3b167799d 100755 --- a/opac/opac-shelves.pl +++ b/opac/opac-shelves.pl @@ -79,7 +79,15 @@ if (C4::Context->preference("BakerTaylorEnabled")) { } my $referer = $query->param('referer') || $op; -my $category = $query->param('category') || 1; +my $category = 1; +if ( $query->param('category') && ( + ($query->param('category') == 1) || + ($query->param('category') == 2) + ) + ){ + $category = $query->param('category'); +} + my ( $shelf, $shelfnumber, @messages ); if ( $op eq 'add_form' ) { @@ -107,7 +115,7 @@ if ( $op eq 'add_form' ) { $shelf = Koha::Virtualshelf->new( { shelfname => scalar $query->param('shelfname'), sortfield => scalar $query->param('sortfield'), - category => scalar $query->param('category') || 1, + category => $category || 1, allow_change_from_owner => $allow_changes_from > 0, allow_change_from_others => $allow_changes_from == ANYONE, owner => scalar $loggedinuser, @@ -141,7 +149,7 @@ if ( $op eq 'add_form' ) { my $allow_changes_from = $query->param('allow_changes_from'); $shelf->allow_change_from_owner( $allow_changes_from > 0 ); $shelf->allow_change_from_others( $allow_changes_from == ANYONE ); - $shelf->category( scalar $query->param('category') ); + $shelf->category( $category ); eval { $shelf->store }; if ($@) { -- 2.39.5