Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Main Koha release repository https://koha-community.org
51086 commits 35 branches 616 tags 1.8 GiB
Perl 45.6%
JavaScript 39.3%
HTML 7.2%
XSLT 3.7%
Vue 1.4%
Other 2.3%
Find a file
Jonathan Druart 10068dd604 Bug 36520: Prevent SQL injection in GetPreparedLetter 
Actually in _get_tt_params

The following query will delay the response

SELECT `me`.`biblionumber`, `me`.`frameworkcode`, `me`.`author`, `me`.`title`, `me`.`medium`, `me`.`subtitle`, `me`.`part_number`, `me`.`part_name`, `me`.`unititle`, `me`.`notes`, `me`.`serial`, `me`.`seriestitle`
, `me`.`copyrightdate`, `me`.`timestamp`, `me`.`datecreated`, `me`.`abstract`
  FROM `biblio` `me`
WHERE `biblionumber` = '1) AND (SELECT 1 FROM (SELECT(SLEEP(6)))x)-- -'
ORDER BY field( biblionumber, 1 ) AND (
    SELECT 1
      FROM
    SELECT SLEEP( 6 ) x
   ) -- - )

To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2024-06-07 13:16:28 +00:00
acqui Bug 35927: Selecting MARC framework again doesn't work when adding to basket from an external source 2024-05-30 19:10:54 +00:00
admin Bug 33099: Add missing MARC21 Match authority mappings so "Search all headings" search works 2024-05-30 19:29:19 +00:00
api Bug 36329: Miscelaneous spec fixes 2024-05-13 14:40:58 +00:00
authorities Bug 36792: Limit POSIX imports 2024-05-31 15:56:28 +00:00
basket Bug 34731: Don't call SendQueuedMessages if message_id is bad 2023-09-14 07:54:48 -10:00
bin
C4 Bug 36520: Prevent SQL injection in GetPreparedLetter 2024-06-07 13:16:28 +00:00
catalogue Bug 36834: (Bug 29697 follow-up) Koha explodes when trying to open in Labeled MARC view a bibliographic record with an invalid biblionumber 2024-05-31 13:11:16 +00:00
cataloguing Bug 36792: Limit POSIX imports 2024-05-31 15:56:28 +00:00
circ Bug 36376: (QA follow-up) Tidy 2024-05-28 16:27:54 +00:00
clubs Bug 30718: Use flatpickr's altInput 2022-08-19 08:26:31 -03:00
course_reserves Bug 20256: Use new methods 2023-02-02 11:59:26 -03:00
debian Bug 36531: Serve text/javascript compressed, like application/javascript is 2024-05-28 17:46:35 +00:00
docs Bug 35504: Corrections to wiki team 2024-02-02 16:16:48 +00:00
erm Bug 32922: Remove space in shebang 2023-02-20 09:44:06 -03:00
errors
etc Bug 34041: (follow-up) escape double dashes to prevent issues 2024-05-30 19:07:54 +00:00
ill Bug 28909: Allow illview to use backend template 2022-08-09 13:21:39 -03:00
installer Bug 36665: (follow-up) Default preference to enabled 2024-05-31 14:39:00 +00:00
Koha Bug 36818: Escape characters in file names uploaded 2024-06-03 15:20:37 +00:00
koha-tmpl Bug 34263: (QA follow-up): Use flatpickr .clear instead 2024-05-31 15:38:50 +00:00
labels Bug 36511: Some scripts missing a dependency following Bug 24879 2024-04-11 14:28:13 +00:00
lib/CGI/Session/Serialize
members Bug 33849: Do not reset new patrons home library when error occurs 2024-05-30 19:15:53 +00:00
misc Bug 36845: Do not loop over the content attribute 2024-05-31 13:16:26 +00:00
offline_circ Bug 33961: Remove built-in offline circ tool 2023-07-17 08:18:59 +01:00
opac Bug 36858: Remove warnings 2024-05-31 13:21:45 +00:00
patron_lists
patroncards Bug 24001: Fix patron card template edition 2022-04-28 10:49:20 -10:00
plugins Bug 30367: (follow-up) Same adjustment for gitlab 2023-05-05 10:18:57 -03:00
pos Bug 34731: Don't call SendQueuedMessages if message_id is bad 2023-09-14 07:54:48 -10:00
recalls Bug 34013: Recalls awaiting pickup doesn't show count on each tab 2023-07-17 14:51:00 +01:00
reports Bug 31988: Remove reports/itemtypes.plugin 2024-03-26 15:54:33 +00:00
reserve Bug 35979: Check pref before inserting holds_queue background jobs 2024-05-28 20:22:48 +00:00
reviews
rotating_collections
serials Bug 36511: Some scripts missing a dependency following Bug 24879 2024-04-11 14:28:13 +00:00
services
skel
suggestion Bug 34963: Restore the ability to blank fields when editing a suggestion 2024-05-28 19:45:09 +00:00
svc Bug 34913: Adjust C4::Utils::DataTables::VirtualShelves 2024-03-19 19:19:13 +00:00
t Bug 36520: Add tests 2024-06-07 13:16:28 +00:00
tags Bug 30718: Use flatpickr's altInput 2022-08-19 08:26:31 -03:00
tools Bug 34621: implement Patron import option to 'Renew existing patrons' 'from the current membership expiry date' 2024-05-28 19:21:41 +00:00
virtualshelves Bug 36858: Remove warnings 2024-05-31 13:21:45 +00:00
xt Bug 36176: Exclude misc/releases_notes/* 2024-03-27 13:45:17 +00:00
.editorconfig
.eslintrc.json
.gitignore Bug 35174: Add misc/translator/po to .gitignore 2023-11-22 09:34:59 +01:00
.htaccess
.mailmap Bug 36943: (follow-up) 24.05.00 - Update .mailmap 2024-05-31 15:30:58 +00:00
.perlcriticrc
.perltidyrc Bug 30002: Adjust perltidy 2023-07-12 07:55:00 +01:00
.proverc.dist
.stylelintrc.json Bug 31528: (follow-up) A few additional rules 2022-10-03 08:23:15 -03:00
about.pl Bug 36134: Read complete Elasticsearch configuration in about.pl 2024-03-19 20:05:37 +00:00
app.psgi Bug 36149: Add userenv middleware to app.psgi 2024-05-01 15:35:19 +00:00
build-resources.PL Bug 32609: Use the current yarn.lock to generate node_modules 2023-02-10 11:07:57 -03:00
changelanguage.pl
cpanfile Bug 33964: (QA follow-up) Remove library from cpanfile 2023-08-07 20:05:46 -10:00
cypress.json Bug 33408: Extend defaultCommandTimeout for cypress 2023-04-13 11:48:00 -03:00
fix-perl-path.PL
gulpfile.js Bug 36730: (Bug 35428 follow-up) po files (sometimes) fail to update 2024-05-28 21:44:03 +00:00
help.pl
INSTALL
Koha.pm Bug 36665: DBRev 23.05.11.002 2024-05-31 14:35:08 +00:00
kohaversion.pl
LICENSE
mainpage.pl Bug 35019: Add a CSRF token when deleting news 2023-10-25 20:22:12 -10:00
Makefile.PL Bug 26700: Remove occurrences in Makefile.PL 2023-07-17 11:01:46 +01:00
MANIFEST.SKIP
package.json Bug 33066: Introduce a KohaTable Vue component 2023-04-10 07:38:28 -03:00
README
README.md
README.robots
rewrite-config.PL
tsconfig.json Bug 32030: Move cypress to t - fix build_js/watch_js 2022-11-08 09:44:52 -03:00
webpack.config.js Bug 32806: Move main-erm.ts to modules/erm.ts 2023-02-27 11:12:01 -03:00
yarn.lock Bug 33066: Introduce a KohaTable Vue component 2023-04-10 07:38:28 -03:00

README.md

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo