The problem
When submitting a job via WebAdmin's MARC Record
Bulkimport form, an unselected optional parameter (e.g.
Holdings/MFHD Location Code), causes bulkimport to
fail. The attempted batch command looks similar to
this:
/path_to/Pbulkimport -f/path_to/file -iLCSH -o_ -a_
The resulting error message is 'Invalid mfhd location code "_".'
As indicated by the error message, failure
is due to bulkimport encountering an inappropriate
location code (i.e. the underscore argument to the -a
flag).
Version information
Solaris 8
Voyager 2000.1.3
WebAdmin as of pat200013g patch
Relevant files
/m1/voyager/xxxdb/webadmin/cgi-bin/bulkimport.cgi
/m1/voyager/xxxdb/webadmin/cgi-bin/bulkimport.html
/m1/voyager/xxxdb/webadmin/cgi-bin/cgi-lib.pl
Where does the underscore come from?
When a location is
not chosen, a space character is
returned as the value. The underscore appears as a
result of code in cgi-lib.pl that attempts to sanitize
the form input. The following code in cgi-lib.pl replaces
potentially harmful characters in user input with an underscore.
$OK_CHARS='a-zA-Z0-9_\-\.@&=+\/';
eval "tr/$OK_CHARS/_/c";
A space is not included in the list of acceptable
characters and therefore spaces get replaced with an
underscore. (Note: It's important to remove or replace Unix
shell metacharacters. Otherwise a hacker may be able to exploit the CGI
script and run Unix command on the server.)
Why is this bug showing up now?
We have only recently begun using WebAdmin so maybe
this bug has always been present. But I surmise that
the above cgi-lib.pl code was a late addition designed
to plug one of the WebAdmin security holes. There was
probably minimal testing done subsequent to this minor
change and this behavior was an unintended consequence.
How and where can this bug be fixed?
Fix option 1: An initial inclination might be to add
the space character to the list assigned to "OK_CHARS"
in cgi-lib.pl. This option is NOT recommended: actual
location codes containing a space (as opposed to not
choosing a location, which results in a single space by
itself) will confuse the bulkimport program because it
will look like multiple arguments to the same parameter.
Fix option 2: In the bulkimport.html form, have the no-
location-code-selected option return a null rather than
a space as the input value. The location values are
generated by bulkimport.cgi, so the fix must be done
there. For MFHD location, for example, change line 238 from
$mfhdlochtml .= "<OPTION VALUE=\" \"> \n";
to
$mfhdlochtml .= "<OPTION VALUE=\"\"> \n";
(i.e. Delete the space between the two sets of \".) This fix
would also have to be applied for the operator and
dedupe location parameters.
Fix option 3: The bulkimport.cgi script tests for the
existence of user input (e.g. in lines 97-100 for MFHD
location). The test is looking for a non-null, non-space
value. If user input exists for this parameter,
it will add the appropriate flag and argument to the
command line parameters. Since cgi-lib.pl now replaces
the space with an underscore, this test is faulty (i.e.
it will always be true). Change the test to look for a
non-null, non-
underscore character.
Which of the fix options is best?
We went with option #2. Although bulkimport now works
via WebAdmin, we've not discounted the possibility that
by editing the program, we might in turn have
introduced another bug or bugs. :-)
Note: Whichever fix is chosen, it needs to apply to all
of the affected optional parameters.
Related WebAdmin bugs
Why doesn't an unselected Dedupe Location Code on the
WebAdmin Bulkimport form result in an underscore
argument to
that parameter? The bulkimport.html
input name is De
dupeLocation while the bulkimport.cgi
test for that parameter is looking for
De
DupeLocation. These values are case-sensitive and
therefore do not match. This inconsistency should be
fixed in bulkimport.cgi in order to be able to select a
dedupe location code for bulkimport.
Disclaimer
This information is distributed in the hope that it
will be useful, but with no warranties regarding the
efficacies of the bug fixes, nor any guarantees that
applying the fixes will not introduce additional bugs.
USE AT YOUR OWN RISK.
I recommend that you contact Endeavor support regarding
fixing any bugs you may have in your WebAdmin software.
