[Bug 21115] New: Add multi_param call and add divider in cache key in svc/report and opac counterpart

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] New: Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

            Bug ID: 21115
           Summary: Add multi_param call and add divider in cache key in
                    svc/report and opac counterpart
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: trivial
          Priority: P5 - low
         Component: Reports
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

CGI::param called in list context from package
CGI::Compile::ROOT::usr_share_koha_prodclone_opac_svc_report line 42, this can
lead to vulnerabilities. See the warning in "Fetching the value or values of a
single named parameter" at /usr/share/perl5/CGI.pm line 436.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|Reports                     |Architecture, internals,
                   |                            |and plumbing

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]-commun |[hidden email]
                   |ity.org                     |
   Patch complexity|---                         |Small patch

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

--- Comment #1 from Marcel de Rooy <[hidden email]> ---
Created attachment 77256
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77256&action=edit
Bug 21115: Add multi_param call and add divider in cache key in svc/report and
opac counterpart

Resolve things like:
CGI::param called in list context from package
CGI::Compile::ROOT::usr_share_koha_prodclone_opac_svc_report line 42, this can
lead to vulnerabilities. See the warning in "Fetching the value or values of a
single named parameter" at /usr/share/perl5/CGI.pm line 436.

The cache key in both script looks like:
    opac:report:id:602018
but should for consistency be:
    opac:report:id:60:2018
Note: The 2018 here is part of the sql_params and should not be
concatenated to the report id.

Test plan:
Do not yet apply this patch.
Make a report public, set cache to 300 secs.
Check its output with opac/svc/report.
Check for the warn in your log.
Apply the patch, restart Plack and flush cache.
Check opac/svc/report.
Modify your report; e.g. add a simple string to the SELECT.
Check opac/svc/report. You should still see cached output.
Flush the cache.
Check opac/svc/report. You should now see the added text.

Signed-off-by: Marcel de Rooy <[hidden email]>
Tested also by clearing individual keys with $cache->clear_from_cache.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

--- Comment #2 from Marcel de Rooy <[hidden email]> ---
Note for QA:
Looks like we should remove the opac and intranet key from the cache when
modifying a report. But that is not the topic of this report. So I use this
phenomenon in my test plan.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

M. Tompsett <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

M. Tompsett <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #77256|0                           |1
        is obsolete|                            |

--- Comment #3 from M. Tompsett <[hidden email]> ---
Created attachment 80365
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=80365&action=edit
Bug 21115: Add multi_param call and add divider in cache key in svc/report and
opac counterpart

Resolve things like:
CGI::param called in list context from package
CGI::Compile::ROOT::usr_share_koha_prodclone_opac_svc_report line 42, this can
lead to vulnerabilities. See the warning in "Fetching the value or values of a
single named parameter" at /usr/share/perl5/CGI.pm line 436.

The cache key in both script looks like:
    opac:report:id:602018
but should for consistency be:
    opac:report:id:60:2018
Note: The 2018 here is part of the sql_params and should not be
concatenated to the report id.

Test plan:
Do not yet apply this patch.
Make a report public, set cache to 300 secs.
Check its output with opac/svc/report.
Check for the warn in your log.
Apply the patch, restart Plack and flush cache.
Check opac/svc/report.
Modify your report; e.g. add a simple string to the SELECT.
Check opac/svc/report. You should still see cached output.
Flush the cache.
Check opac/svc/report. You should now see the added text.

Signed-off-by: Marcel de Rooy <[hidden email]>
Tested also by clearing individual keys with $cache->clear_from_cache.

Signed-off-by: Mark Tompsett <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

--- Comment #4 from Marcel de Rooy <[hidden email]> ---
(In reply to M. Tompsett from comment #3)
> Signed-off-by: Mark Tompsett <[hidden email]>

Thx

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Chris Cormack <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Passed QA

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Chris Cormack <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #80365|0                           |1
        is obsolete|                            |

--- Comment #5 from Chris Cormack <[hidden email]> ---
Created attachment 80441
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=80441&action=edit
Bug 21115: Add multi_param call and add divider in cache key in svc/report and
opac counterpart

Resolve things like:
CGI::param called in list context from package
CGI::Compile::ROOT::usr_share_koha_prodclone_opac_svc_report line 42, this can
lead to vulnerabilities. See the warning in "Fetching the value or values of a
single named parameter" at /usr/share/perl5/CGI.pm line 436.

The cache key in both script looks like:
    opac:report:id:602018
but should for consistency be:
    opac:report:id:60:2018
Note: The 2018 here is part of the sql_params and should not be
concatenated to the report id.

Test plan:
Do not yet apply this patch.
Make a report public, set cache to 300 secs.
Check its output with opac/svc/report.
Check for the warn in your log.
Apply the patch, restart Plack and flush cache.
Check opac/svc/report.
Modify your report; e.g. add a simple string to the SELECT.
Check opac/svc/report. You should still see cached output.
Flush the cache.
Check opac/svc/report. You should now see the added text.

Signed-off-by: Marcel de Rooy <[hidden email]>
Tested also by clearing individual keys with $cache->clear_from_cache.

Signed-off-by: Mark Tompsett <[hidden email]>
Signed-off-by: Chris Cormack <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
             Status|Passed QA                   |Pushed to Master

--- Comment #6 from Nick Clemens <[hidden email]> ---
Awesome work all!

Pushed to master for 18.11

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 21115] Add multi_param call and add divider in cache key in svc/report and opac counterpart

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21115

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Pushed to Master            |Pushed to Stable
                 CC|                            |martin.renvoize@ptfs-europe
                   |                            |.com

--- Comment #7 from Martin Renvoize <[hidden email]> ---
Pushed to 18.05.x for 18.05.05

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/