Bug 36520: Prevent SQL injection in GetPreparedLetter

Actually in _get_tt_params

The following query will delay the response

SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
  FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
    SELECT 1
      FROM
    SELECT SLEEP( 6 ) x
   ) -- - )

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 0b3c98b0ba01ea5c886ecfe8eef174b5b7c6ec25)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This commit is contained in:
Jonathan Druart 2024-05-13 14:47:28 +02:00 committed by Fridolin Somers
parent 33d9bcdd60
commit 3098a95c4e

View file

@ -1890,6 +1890,7 @@ sub _get_tt_params {
}, },
}; };
my $dbh = C4::Context->dbh;
foreach my $table ( keys %$tables ) { foreach my $table ( keys %$tables ) {
next unless $config->{$table}; next unless $config->{$table};
@ -1915,7 +1916,14 @@ sub _get_tt_params {
# field is a MySQLism, but they are no other way to do it # field is a MySQLism, but they are no other way to do it
# To be generic we could do it in perl, but we will need to fetch # To be generic we could do it in perl, but we will need to fetch
# all the data then order them # all the data then order them
@$values ? ( order_by => \[ "field($key, " . join( ', ', @$values ) . ")" ] ) : () @$values
? (
order_by => \[
sprintf "field(%s, %s)", $key,
join(',', map { $dbh->quote($_) } @$values )
]
)
: ()
} }
); );
$params->{ $config->{$table}->{plural} } = $objects; $params->{ $config->{$table}->{plural} } = $objects;