From c2d45ac0f4687fc4dcf84e9de663f8d3f3a354be Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 23 Jul 2020 11:15:24 +0200
Subject: [PATCH] Bug 5087: Add server-side check

If a user to access a CSV profile that is not available at the OPAC we
should redirect to 404.

It will also handle undefined csv_profiles

For instance:
kohadev.mydnsname.org:8080/cgi-bin/koha/opac-downloadshelf.pl?shelfnumber=1&format=3
kohadev.mydnsname.org:8080/cgi-bin/koha/opac-downloadcart.pl?bib_list=1/2/&format=3

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 opac/opac-downloadcart.pl  | 6 ++++++
 opac/opac-downloadshelf.pl | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/opac/opac-downloadcart.pl b/opac/opac-downloadcart.pl
index 7720cd461e..0fb7a02f3c 100755
--- a/opac/opac-downloadcart.pl
+++ b/opac/opac-downloadcart.pl
@@ -66,6 +66,12 @@ if ($bib_list && $format) {
     # CSV   
     if ($format =~ /^\d+$/) {
 
+        my $csv_profile = Koha::CsvProfiles->find($format);
+        if ( not $csv_profile or $csv_profile->staff_only ) {
+            print $query->redirect('/cgi-bin/koha/errors/404.pl');
+            exit;
+        }
+
         $output = marc2csv(\@bibs, $format);
 
         # Other formats
diff --git a/opac/opac-downloadshelf.pl b/opac/opac-downloadshelf.pl
index f317f3ca3d..011fd0c5c5 100755
--- a/opac/opac-downloadshelf.pl
+++ b/opac/opac-downloadshelf.pl
@@ -75,6 +75,13 @@ if ( $shelf and $shelf->can_be_viewed( $borrowernumber ) ) {
 
        # CSV
         if ($format =~ /^\d+$/) {
+
+            my $csv_profile = Koha::CsvProfiles->find($format);
+            if ( not $csv_profile or $csv_profile->staff_only ) {
+                print $query->redirect('/cgi-bin/koha/errors/404.pl');
+                exit;
+            }
+
             my @biblios;
             while ( my $content = $contents->next ) {
                 push @biblios, $content->biblionumber;
-- 
2.11.4.GIT