Bug 19258: Prevent warns when writing off an individual fine

The following warns are triggered when I click the Write Off button next to an individual fine or charge: CGI::param called in list context from package CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 171, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 436. (this shows many times) Use of uninitialized value in subroutine entry at /usr/share/perl5/URI/Escape.pm line 184. To test: 1) Go to a members detail page in staff side and create a manual invoice 2) Go to the pay fines tab, click the Write off button next to the invoice you just created 3) Notice warns 4) Apply patch and repeat steps 1 & 2 5) Warns should be gone Sponsored-by: Catalyst IT Signed-off-by: Mark Tompsett <[email protected]> Signed-off-by: Jonathan Druart <[email protected]> Signed-off-by: Jonathan Druart <[email protected]>
OrbOfNightTeam · Sep 7, 2017 · 693cc11 · 693cc11
1 parent 9ffda7a
commit 693cc11
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/members/pay.pl b/members/pay.pl
@@ -168,7 +168,10 @@ sub add_accounts_to_template {
 sub get_for_redirect {
     my ( $name, $name_in, $money ) = @_;
     my $s     = q{&} . $name . q{=};
-    my $value = uri_escape_utf8( $input->param($name_in) );
+    my $value;
+    if (defined $input->param($name_in)) {
+        $value = uri_escape_utf8( scalar $input->param($name_in) );
+    }
     if ( !defined $value ) {
         $value = ( $money == 1 ) ? 0 : q{};
     }
@@ -196,7 +199,7 @@ sub redirect_to_paycollect {
     $redirect .= get_for_redirect( 'notify_id',    "notify_id$line_no",    0 );
     $redirect .= get_for_redirect( 'notify_level', "notify_level$line_no", 0 );
     $redirect .= get_for_redirect( 'accountlines_id', "accountlines_id$line_no", 0 );
-    $redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( $input->param("payment_note_$line_no") );
+    $redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( scalar $input->param("payment_note_$line_no") );
     $redirect .= '&remote_user=';
     $redirect .= $user;
     return print $input->redirect($redirect);