Koha-community
/
Koha
13
5
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Bug 17901: Fix possible SQL injection in shelf editing 

It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
17.05.x
Jonathan Druart 7 years ago
committed by Kyle M Hall
parent
42460b8714
commit
45cffd874c
2 changed files with 8 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      opac/opac-shelves.pl
  2. 5
      virtualshelves/shelves.pl

6
opac/opac-shelves.pl
View File

@ -105,9 +105,11 @@ if ( $op eq 'add_form' ) {
$shelf = Koha::Virtualshelves->find($shelfnumber);
if ( $shelf ) {
$op = $referer;
my $sortfield = $query->param('sortfield');
$sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
if ( $shelf->can_be_managed( $loggedinuser ) ) {
$shelf->shelfname( $query->param('shelfname') );
$shelf->sortfield( $query->param('sortfield') );
$shelf->sortfield( $sortfield );
$shelf->allow_add( $query->param('allow_add') );
$shelf->allow_delete_own( $query->param('allow_delete_own') );
$shelf->allow_delete_other( $query->param('allow_delete_other') );
@ -226,6 +228,7 @@ if ( $op eq 'view' ) {
if ( $shelf->can_be_viewed( $loggedinuser ) ) {
$category = $shelf->category;
my $sortfield = $query->param('sortfield') || $shelf->sortfield; # Passed in sorting overrides default sorting
$sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
my $direction = $query->param('direction') || 'asc';
$direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
my ( $page, $rows );
@ -326,7 +329,6 @@ if ( $op eq 'view' ) {
can_delete_shelf => $shelf->can_be_deleted($loggedinuser),
can_remove_biblios => $shelf->can_biblios_be_removed($loggedinuser),
can_add_biblios => $shelf->can_biblios_be_added($loggedinuser),
sortfield => $sortfield,
itemsloop => \@items,
sortfield => $sortfield,
direction => $direction,

5
virtualshelves/shelves.pl
View File

@ -94,9 +94,11 @@ if ( $op eq 'add_form' ) {
if ( $shelf ) {
$op = $referer;
my $sortfield = $query->param('sortfield');
$sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
if ( $shelf->can_be_managed( $loggedinuser ) ) {
$shelf->shelfname( scalar $query->param('shelfname') );
$shelf->sortfield( scalar $query->param('sortfield') );
$shelf->sortfield( $sortfield );
$shelf->allow_add( scalar $query->param('allow_add') );
$shelf->allow_delete_own( scalar $query->param('allow_delete_own') );
$shelf->allow_delete_other( scalar $query->param('allow_delete_other') );
@ -197,6 +199,7 @@ if ( $op eq 'view' ) {
if ( $shelf ) {
if ( $shelf->can_be_viewed( $loggedinuser ) ) {
my $sortfield = $query->param('sortfield') || $shelf->sortfield || 'title'; # Passed in sorting overrides default sorting
$sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
my $direction = $query->param('direction') || 'asc';
$direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
my ( $rows, $page );

Write Preview
Loading…
Cancel
Save