tpac : sanity check record ID in detail page path

If the ID is malformed (or nonexistent), return a BAD_REQUEST status and
exit early to avoid any unnecessary DB lookups and error logging.

Signed-off-by: Bill Erickson <berick@esilibrary.com>
Signed-off-by: Mike Rylander <mrylander@gmail.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Record.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Record.pm
index bd5a22e..70010bd 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Record.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Record.pm
@@ -21,8 +21,10 @@ sub load_record {
 
     $self->timelog("load_record() began");
 
-    my $rec_id = $ctx->{page_args}->[0]
-        or return Apache2::Const::HTTP_BAD_REQUEST;
+    my $rec_id = $ctx->{page_args}->[0];
+
+    return Apache2::Const::HTTP_BAD_REQUEST 
+        unless $rec_id and $rec_id =~ /^\d+$/;
 
     $self->added_content_stage1($rec_id);
     $self->timelog("past added content stage 1");