[Koha-bugs] [Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Oct 10 18:03:27 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115
M. Tompsett <mtompset at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #77256|0 |1
is obsolete| |
--- Comment #3 from M. Tompsett <mtompset at hotmail.com> ---
Created attachment 80365
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=80365&action=edit
Bug 21115: Add multi_param call and add divider in cache key in svc/report and
opac counterpart
Resolve things like:
CGI::param called in list context from package
CGI::Compile::ROOT::usr_share_koha_prodclone_opac_svc_report line 42, this can
lead to vulnerabilities. See the warning in "Fetching the value or values of a
single named parameter" at /usr/share/perl5/CGI.pm line 436.
The cache key in both script looks like:
opac:report:id:602018
but should for consistency be:
opac:report:id:60:2018
Note: The 2018 here is part of the sql_params and should not be
concatenated to the report id.
Test plan:
Do not yet apply this patch.
Make a report public, set cache to 300 secs.
Check its output with opac/svc/report.
Check for the warn in your log.
Apply the patch, restart Plack and flush cache.
Check opac/svc/report.
Modify your report; e.g. add a simple string to the SELECT.
Check opac/svc/report. You should still see cached output.
Flush the cache.
Check opac/svc/report. You should now see the added text.
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Tested also by clearing individual keys with $cache->clear_from_cache.
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list