Bug 19258: Prevent warns when writing off an individual fine

The following warns are triggered when I click the Write Off button next
to an individual fine or charge:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 171,
this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 436. (this shows many times)
Use of uninitialized value in subroutine entry at
/usr/share/perl5/URI/Escape.pm line 184.

To test:
1) Go to a members detail page in staff side and create a manual
invoice
2) Go to the pay fines tab, click the Write off button next to the
invoice you just created
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone

Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/members/pay.pl b/members/pay.pl
index 7c3f6ad..5da2c41 100755 (executable)
--- a/members/pay.pl
+++ b/members/pay.pl
@@ -168,7 +168,10 @@ sub add_accounts_to_template {
 sub get_for_redirect {
     my ( $name, $name_in, $money ) = @_;
     my $s     = q{&} . $name . q{=};
-    my $value = uri_escape_utf8( $input->param($name_in) );
+    my $value;
+    if (defined $input->param($name_in)) {
+        $value = uri_escape_utf8( scalar $input->param($name_in) );
+    }
     if ( !defined $value ) {
         $value = ( $money == 1 ) ? 0 : q{};
     }
@@ -196,7 +199,7 @@ sub redirect_to_paycollect {
     $redirect .= get_for_redirect( 'notify_id',    "notify_id$line_no",    0 );
     $redirect .= get_for_redirect( 'notify_level', "notify_level$line_no", 0 );
     $redirect .= get_for_redirect( 'accountlines_id', "accountlines_id$line_no", 0 );
-    $redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( $input->param("payment_note_$line_no") );
+    $redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( scalar $input->param("payment_note_$line_no") );
     $redirect .= '&remote_user=';
     $redirect .= $user;
     return print $input->redirect($redirect);