Bug 37210: Escape single quote in search string in overdue.pl

To Test:
1. Go to /cgi-bin/koha/circ/overdue.pl
2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'»
3. Apply the filter
   ==> It takes 10 seconds, sleep(10) is executed
4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value
5. select the option from the filter and Apply the filter
   ==> It takes 10 seconds, sleep(10) is executed
we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch
6. Apply the patch
7. Repeat step 1,2,3
   ==> it doesn't take 10 seconds, the injected sql is not executed
8. Repeat step 5
==> it doesn't take 10 seconds, the injected sql is not executed
9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch
   ==> it doesn't take 10 seconds, the injected sql is not executed

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

circ/overdue.pl

@@ -231,6 +231,14 @@ if ($noreport) {
     $bornamefilter =~ s/\*/\%/g;
     $bornamefilter =~ s/\?/\_/g;
 
+    # Escape single quote
+    $bornamefilter =~s/'/\\'/g;
+    $itemtypefilter =~s/'/\\'/g;
+    $borcatfilter =~s/'/\\'/g;
+    $holdingbranchfilter =~s/'/\\'/g;
+    $homebranchfilter =~s/'/\\'/g;
+    $branchfilter =~s/'/\\'/g;
+
     my $strsth = "SELECT date_due,
         borrowers.title as borrowertitle,
         borrowers.surname,