Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Main Koha release repository https://koha-community.org
28312 commits 35 branches 612 tags 1.8 GiB
Perl 45.3%
JavaScript 39.4%
HTML 7.2%
XSLT 3.9%
Vue 1.4%
Other 2.3%
Find a file
Jonathan Druart 45cffd874c Bug 17901: Fix possible SQL injection in shelf editing 
It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:20:48 +00:00
acqui Bug 17771: aqorders.biblionumber was already part of the query 2017-01-19 12:00:16 +00:00
admin Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
api/v1 Bug 17086: Reword borrowers to patrons in Swagger tags for holds 2016-11-22 11:31:08 +00:00
authorities
basket Bug 17830: CSRF - Handle unicode characters in userid 2016-12-30 17:47:18 +00:00
C4 Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
catalogue Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
cataloguing Bug 17629: Koha::Biblio - Remove ModBiblioframework 2017-01-13 12:37:08 +00:00
circ Bug 17588: ->get_issues has been replaced with ->checkouts 2017-01-20 14:25:35 +00:00
course_reserves Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
debian Bug 16733: [Follow-up] Add $home to api path too 2017-01-20 14:15:27 +00:00
docs Bug 7143: [QA Follow-up] Handling tabs 2017-01-19 13:42:30 +00:00
errors Bug 15288: Error pages: Code duplication removal and better translatability 2016-01-27 05:57:34 +00:00
etc Bug 7533: Add the template_cache_dir entry to koha-conf.xml 2017-01-20 14:13:52 +00:00
install_misc Bug 16770: Remove 2 other occurrences of libmemoize-memcached-perl 2016-06-24 14:05:56 +00:00
installer Bug 17813 - DBRev 16.12.00.006 2017-01-20 14:00:47 +00:00
Koha Bug 17501: [Follow-up] QA Requests 2017-01-20 14:20:07 +00:00
koha-tmpl Bug 17501: Remove Koha::Upload::get from Koha::Upload 2017-01-20 14:20:05 +00:00
labels Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
members Bug 17588: ->get_issues has been replaced with ->checkouts 2017-01-20 14:25:35 +00:00
misc Bug 17731: Remove noxml option from rebuild_zebra.pl 2017-01-19 13:05:08 +00:00
offline_circ Bug 17501: Remove Koha::Upload::get from Koha::Upload 2017-01-20 14:20:05 +00:00
opac Bug 17901: Fix possible SQL injection in shelf editing 2017-01-30 11:20:48 +00:00
OpenILS
patron_lists Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
patroncards Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
plugins Bug 15879: Allow multiple plugin directories to be defined in koha-conf.xml 2017-01-11 14:03:00 +00:00
reports Bug 17931: Remove unused vars from reserves_stats 2017-01-19 12:47:03 +00:00
reserve Bug 17556: Koha::Patrons - Remove GetHideLostItemsPreference 2016-12-09 18:53:40 +00:00
reviews Bug 15839: Koha::Reviews - Remove C4::Review residue 2016-09-09 10:31:00 +00:00
rotating_collections Bug 15758: Koha::Libraries - Remove GetBranches 2016-09-08 14:36:03 +00:00
serials Bug 13726: Fix for serials/acqui-search-result.pl 2016-12-30 11:54:32 +00:00
services
skel
sms
suggestion Bug 17252 - Koha::AuthorisedValues - Remove GetAuthorisedValueByCode 2016-10-21 15:35:21 +00:00
svc Bug 17375: Search by dateofbirth - handle invalid dates 2016-10-27 13:18:32 +00:00
t Bug 17900: Update the tests to the new API 2017-01-30 11:19:56 +00:00
tags
test
tmp/modified_authorities
tools Bug 17588: get_account_lines->get_balance has been replace with account->balance 2017-01-20 14:25:35 +00:00
virtualshelves Bug 17901: Fix possible SQL injection in shelf editing 2017-01-30 11:20:48 +00:00
xt Bug 17469: Add missing sample notices fr-CA test 2017-01-19 13:39:10 +00:00
.editorconfig
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap
about.pl Bug 7533: Add a warning to the about page if template_cache_dir is not set 2017-01-20 14:13:53 +00:00
changelanguage.pl
edithelp.pl Bug 16447: Remove occurrence of the borrow permission which does no longer exist 2016-05-05 21:28:14 +00:00
fix-perl-path.PL Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
help.pl
INSTALL Bug 17626: Remove existing install instructions and link to the wiki pages instead 2016-11-22 11:29:07 +00:00
install-CPAN.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
Koha.pm Bug 17813 - DBRev 16.12.00.006 2017-01-20 14:00:47 +00:00
koha_perl_deps.pl
kohaversion.pl
LICENSE Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
mainpage.pl Bug 14610 - Add and update scripts 2016-10-26 12:15:14 +00:00
Makefile.PL Bug 16083: [QA FOLLOWUP] Add more cli arguments. 2017-01-13 11:48:29 +00:00
MANIFEST.SKIP
README
README.md
README.robots
rewrite-config.PL

README.md

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-comminity.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo