[Koha-bugs] [Bug 23873] Allow marc modification templates to use capturing groups in substitutions
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Oct 23 13:19:08 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23873
--- Comment #1 from Nick Clemens <nick at bywatersolutions.com> ---
The issue here is that the two sides of the replacement are each passed in a
variable.
$value =~ s/$regex->{search}/$regex->{replace}/
On the right side, we don't evaluate the variable, so anything there is treated
as text. This was encountered during the callnumber split development and is
why the code there stores the full regex in a single field.
https://blog.james.rcpt.to/2010/10/25/perl-search-and-replace-using-variables/
It seems maybe we can safely do this if we allow for /ee (double encoding) in
the regex switch, then it will prevent malicious code, but allow desired code.
In the case of callnumber splitting I think we decided too that we should trust
the end user. Someone who already has access to the staff client is hopefully
someone trustworthy
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list