The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.
To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
(substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
the browser.
---
opac/opac-export.pl | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/opac/opac-export.pl b/opac/opac-export.pl
index fb8dee7..002c88e 100755
--- a/opac/opac-export.pl
+++ b/opac/opac-export.pl
@@ -32,6 +32,7 @@ my $query = new CGI;
my $op=$query->param("op")||''; #op=export is currently the only use
my $format=$query->param("format")||'utf8';
my $biblionumber = $query->param("bib")||0;
+$biblionumber = int($biblionumber);
my ($marc, $error)= ('','');
$marc = GetMarcBiblio($biblionumber, 1) if $biblionumber;
@@ -41,18 +42,23 @@ if(!$marc) {
}
elsif ($format =~ /endnote/) {
$marc = marc2endnote($marc);
+ $format = 'endnote';
}
elsif ($format =~ /marcxml/) {
$marc = marc2marcxml($marc);
+ $format = 'marcxml';
}
elsif ($format=~ /mods/) {
$marc = marc2modsxml($marc);
+ $format = 'mods';
}
elsif ($format =~ /ris/) {
$marc = marc2ris($marc);
+ $format = 'ris';
}
elsif ($format =~ /bibtex/) {
$marc =
marc2bibtex(C4::Biblio::GetMarcBiblio($biblionumber),$biblionumber);
+ $format = 'bibtex';
}
elsif ($format =~ /dc/) {
($error,$marc) = marc2dcxml($marc,1);
@@ -61,14 +67,17 @@ elsif ($format =~ /dc/) {
elsif ($format =~ /marc8/) {
($error,$marc) = changeEncoding($marc,"MARC","MARC21","MARC-8");
$marc = $marc->as_usmarc() unless $error;
+ $format = 'marc8';
}
elsif ($format =~ /utf8/) {
C4::Charset::SetUTF8Flag($marc,1);
$marc = $marc->as_usmarc();
+ $format = 'utf8';
}
elsif ($format =~ /marcstd/) {
C4::Charset::SetUTF8Flag($marc,1);
($error,$marc) = marc2marc($marc, 'marcstd',
C4::Context->preference('marcflavour'));
+ $format = 'marcstd';
}
else {
$error= "Format $format is not supported.";
@@ -78,7 +87,7 @@ if ($error){
print $query->header();
print $query->start_html();
print "<h1>An error occurred </h1>";
- print $error;
+ print $query->escapeHTML("$error");
print $query->end_html();
}
else {
--
1.7.9.5
_______________________________________________
Koha-patches mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-patches
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
