Main Koha release repository https://koha-community.org
Find a file
Jonathan Druart 45cffd874c Bug 17901: Fix possible SQL injection in shelf editing
It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:20:48 +00:00
acqui Bug 17771: aqorders.biblionumber was already part of the query 2017-01-19 12:00:16 +00:00
admin Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
api/v1 Bug 17086: Reword borrowers to patrons in Swagger tags for holds 2016-11-22 11:31:08 +00:00
authorities Bug 17118: (follow-up 15381) Fix regression when clearing a linked authority 2016-09-02 14:01:34 +00:00
basket Bug 17830: CSRF - Handle unicode characters in userid 2016-12-30 17:47:18 +00:00
C4 Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
catalogue Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
cataloguing Bug 17629: Koha::Biblio - Remove ModBiblioframework 2017-01-13 12:37:08 +00:00
circ Bug 17588: ->get_issues has been replaced with ->checkouts 2017-01-20 14:25:35 +00:00
course_reserves Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
debian Bug 16733: [Follow-up] Add $home to api path too 2017-01-20 14:15:27 +00:00
docs Bug 7143: [QA Follow-up] Handling tabs 2017-01-19 13:42:30 +00:00
errors Bug 15288: Error pages: Code duplication removal and better translatability 2016-01-27 05:57:34 +00:00
etc Bug 7533: Add the template_cache_dir entry to koha-conf.xml 2017-01-20 14:13:52 +00:00
install_misc Bug 16770: Remove 2 other occurrences of libmemoize-memcached-perl 2016-06-24 14:05:56 +00:00
installer Bug 17813 - DBRev 16.12.00.006 2017-01-20 14:00:47 +00:00
Koha Bug 17501: [Follow-up] QA Requests 2017-01-20 14:20:07 +00:00
koha-tmpl Bug 17501: Remove Koha::Upload::get from Koha::Upload 2017-01-20 14:20:05 +00:00
labels Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
members Bug 17588: ->get_issues has been replaced with ->checkouts 2017-01-20 14:25:35 +00:00
misc Bug 17731: Remove noxml option from rebuild_zebra.pl 2017-01-19 13:05:08 +00:00
offline_circ Bug 17501: Remove Koha::Upload::get from Koha::Upload 2017-01-20 14:20:05 +00:00
opac Bug 17901: Fix possible SQL injection in shelf editing 2017-01-30 11:20:48 +00:00
OpenILS
patron_lists Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
patroncards Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
plugins Bug 15879: Allow multiple plugin directories to be defined in koha-conf.xml 2017-01-11 14:03:00 +00:00
reports Bug 17931: Remove unused vars from reserves_stats 2017-01-19 12:47:03 +00:00
reserve Bug 17556: Koha::Patrons - Remove GetHideLostItemsPreference 2016-12-09 18:53:40 +00:00
reviews Bug 15839: Koha::Reviews - Remove C4::Review residue 2016-09-09 10:31:00 +00:00
rotating_collections Bug 15758: Koha::Libraries - Remove GetBranches 2016-09-08 14:36:03 +00:00
serials Bug 13726: Fix for serials/acqui-search-result.pl 2016-12-30 11:54:32 +00:00
services
skel
sms Bug 15258: Fix Perl scripts declaring unused variables 2015-12-30 17:24:45 -07:00
suggestion Bug 17252 - Koha::AuthorisedValues - Remove GetAuthorisedValueByCode 2016-10-21 15:35:21 +00:00
svc Bug 17375: Search by dateofbirth - handle invalid dates 2016-10-27 13:18:32 +00:00
t Bug 17900: Update the tests to the new API 2017-01-30 11:19:56 +00:00
tags Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
test Bug 9819 - 'stopwords'-related code removed 2015-12-30 15:49:35 +00:00
tmp/modified_authorities
tools Bug 17588: get_account_lines->get_balance has been replace with account->balance 2017-01-20 14:25:35 +00:00
virtualshelves Bug 17901: Fix possible SQL injection in shelf editing 2017-01-30 11:20:48 +00:00
xt Bug 17469: Add missing sample notices fr-CA test 2017-01-19 13:39:10 +00:00
.editorconfig
.htaccess
.mailmap (RM followup) .mailmap updates 2015-05-22 17:02:21 -03:00
about.pl Bug 7533: Add a warning to the about page if template_cache_dir is not set 2017-01-20 14:13:53 +00:00
changelanguage.pl Bug 16776: Do not forget external language choice in language switcher 2016-08-10 13:51:33 +00:00
edithelp.pl Bug 16447: Remove occurrence of the borrow permission which does no longer exist 2016-05-05 21:28:14 +00:00
fix-perl-path.PL
help.pl Bug 16724: Fix link to the online documentation links 2016-06-24 12:00:42 +00:00
INSTALL Bug 17626: Remove existing install instructions and link to the wiki pages instead 2016-11-22 11:29:07 +00:00
install-CPAN.pl
Koha.pm Bug 17813 - DBRev 16.12.00.006 2017-01-20 14:00:47 +00:00
koha_perl_deps.pl
kohaversion.pl
LICENSE
mainpage.pl Bug 14610 - Add and update scripts 2016-10-26 12:15:14 +00:00
Makefile.PL Bug 16083: [QA FOLLOWUP] Add more cli arguments. 2017-01-13 11:48:29 +00:00
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
README
README.md Bug 15465 [QA Followup] - Update wording, switch logo, add links 2016-02-24 04:02:26 +00:00
README.robots
rewrite-config.PL Bug 16222: (QA followup) Add /api dir for the API 2016-04-20 21:18:36 +00:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-comminity.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo