Bug 17901: Fix possible SQL injection in shelf editing

[koha.git] / virtualshelves / shelves.pl

diff --git a/virtualshelves/shelves.pl b/virtualshelves/shelves.pl
index 11a90ae..de4db51 100755 (executable)
--- a/virtualshelves/shelves.pl
+++ b/virtualshelves/shelves.pl
@@ -27,6 +27,8 @@ use C4::Members;
 use C4::Output;
 use C4::XSLT;
 
+use Koha::Biblios;
+use Koha::Biblioitems;
 use Koha::CsvProfiles;
 use Koha::Virtualshelves;
 
@@ -92,9 +94,11 @@ if ( $op eq 'add_form' ) {
 
     if ( $shelf ) {
         $op = $referer;
+        my $sortfield = $query->param('sortfield');
+        $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
         if ( $shelf->can_be_managed( $loggedinuser ) ) {
             $shelf->shelfname( scalar $query->param('shelfname') );
-            $shelf->sortfield( scalar $query->param('sortfield') );
+            $shelf->sortfield( $sortfield );
             $shelf->allow_add( scalar $query->param('allow_add') );
             $shelf->allow_delete_own( scalar $query->param('allow_delete_own') );
             $shelf->allow_delete_other( scalar $query->param('allow_delete_other') );
@@ -195,6 +199,7 @@ if ( $op eq 'view' ) {
     if ( $shelf ) {
         if ( $shelf->can_be_viewed( $loggedinuser ) ) {
             my $sortfield = $query->param('sortfield') || $shelf->sortfield || 'title';    # Passed in sorting overrides default sorting
+            $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
             my $direction = $query->param('direction') || 'asc';
             $direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
             my ( $rows, $page );
@@ -223,7 +228,7 @@ if ( $op eq 'view' ) {
             my @items;
             while ( my $content = $contents->next ) {
                 my $this_item;
-                my $biblionumber = $content->biblionumber->biblionumber;
+                my $biblionumber = $content->biblionumber;
                 my $record       = GetMarcBiblio($biblionumber);
 
                 if ( $xslfile ) {
@@ -232,9 +237,11 @@ if ( $op eq 'view' ) {
                 }
 
                 my $marcflavour = C4::Context->preference("marcflavour");
-                my $itemtypeinfo = getitemtypeinfo( $content->biblionumber->biblioitems->first->itemtype, 'intranet' );
-                $this_item->{title}             = $content->biblionumber->title;
-                $this_item->{author}            = $content->biblionumber->author;
+                my $itemtype = Koha::Biblioitems->search({ biblionumber => $content->biblionumber })->next->itemtype;
+                my $itemtypeinfo = getitemtypeinfo( $itemtype, 'intranet' );
+                my $biblio = Koha::Biblios->find( $content->biblionumber );
+                $this_item->{title}             = $biblio->title;
+                $this_item->{author}            = $biblio->author;
                 $this_item->{dateadded}         = $content->dateadded;
                 $this_item->{imageurl}          = $itemtypeinfo->{imageurl};
                 $this_item->{description}       = $itemtypeinfo->{description};