Koha/opac
Chris Cormack 9d6ca5e67a Bug 36520: Sanitize input in opac-sendbasket.pl
To test
1/ Add some items to your cart in the opac
2/ Choose send cart
3/ Open firefox developer tools and switch to the network tab
4/ Send cart
5/ In the network tab, find the post request and choose copy as curl
6/ Edit the curl command to add )+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))x)--+-  to the bib_list parameter
7/ Run the curl notice it takes a long time to respond, if you want to check run the curl without the above part added
8/ Apply the patch and restart plack
9/ Run the modified curl and notice no longer the slow down
10/ Test in browser and make sure the basket is still sent

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2024-06-07 13:16:28 +00:00
..
clubs Bug 35941: (QA follow-up) Tidy clubs-tab.pl 2024-03-11 14:54:57 +00:00
errors
external/overdrive
sci
sco Bug 34557: Add SCOLoadCheckoutsByDefault system preference 2023-11-10 10:52:35 -10:00
svc Bug 35942: OPAC user can enroll several times to the same club [23.05.x] 2024-02-22 14:35:01 +00:00
ilsdi.pl
maintenance.pl
oai.pl
opac-account-pay-return.pl
opac-account-pay.pl Bug 36088: Remove useless code form opac-account-pay.pl 2024-03-19 15:13:47 +00:00
opac-account.pl
opac-addbybiblionumber.pl Bug 30418: Add ability for permitted staff to edit list contents 2023-05-15 18:23:57 -03:00
opac-alert-subscribe.pl
opac-article-request-cancel.pl
opac-authorities-home.pl Bug 33803: Remove comment about tab width 2023-06-09 11:22:17 -03:00
opac-authoritiesdetail.pl Bug 21330: Allow XSLT for authority detail view in OPAC 2023-05-15 18:24:03 -03:00
opac-basket.pl Bug 33102: Display fields from biblioitems in OPAC/staff interface cart 2023-05-05 17:45:19 -03:00
opac-blocked.pl Bug 35952: Remove unnecessary line for OpacSuppressionMessage 2024-03-19 15:27:39 +00:00
opac-browse.pl
opac-browser.pl
opac-changelanguage.pl
opac-course-details.pl
opac-course-reserves.pl
opac-curbside-pickups.pl
opac-detail.pl Bug 34886: Adjust other opac detail scripts 2024-05-13 19:26:11 +00:00
opac-discharge.pl
opac-dismiss-message.pl Bug 36532: Protect opac-dismiss-message.pl from malicious usages 2024-05-01 15:14:08 +00:00
opac-downloadcart.pl
opac-downloadshelf.pl Bug 33069: Fix error in MARC download for OPAC lists 2023-05-09 10:57:55 -03:00
opac-export.pl
opac-holdshistory.pl
opac-ics.pl
opac-idref.pl
opac-illrequests.pl Bug 33702: (QA follow-up) Do not crash on borrowernumber 2023-05-29 09:21:51 -03:00
opac-image.pl Bug 33047: Return 404 instead of 500 when biblio does not exist 2023-07-18 10:28:24 +01:00
opac-imageviewer.pl
opac-ISBDdetail.pl Bug 35961: (follow-up) Pass along the borrowernumber 2024-05-30 19:42:49 +00:00
opac-issue-note.pl
opac-library.pl
opac-main.pl Bug 31051: Show patron savings on the OPAC 2023-02-22 10:03:33 -03:00
opac-MARCdetail.pl Bug 35961: (follow-up) Pass along the borrowernumber 2024-05-30 19:42:49 +00:00
opac-memberentry.pl Bug 35929: Remove extra parenthesis 2024-05-31 13:17:50 +00:00
opac-messaging.pl
opac-modrequest-suspend.pl Bug 35492: Open holds tab by default on opac-user.pl after suspending a hold 2024-01-04 18:47:51 +00:00
opac-modrequest.pl Bug 35495: Open holds tab by default on opac-user.pl after cancelling a hold 2024-01-04 18:49:18 +00:00
opac-mymessages.pl
opac-news-rss.pl
opac-overdrive-search.pl
opac-page.pl
opac-passwd.pl
opac-password-recovery.pl
opac-patron-consent.pl Bug 33197: Rename GDPR_Policy system preference 2023-05-05 10:18:54 -03:00
opac-patron-image.pl
opac-privacy.pl
opac-ratings.pl
opac-readingrecord.pl Bug 33951: (QA follow-up) Import GetNormalizedOCLCNumber 2023-07-12 07:58:01 +01:00
opac-recall.pl Bug 36142: recallsview template param for opac-recall.tt 2024-05-28 17:33:39 +00:00
opac-recalls.pl
opac-registration-verify.pl Bug 34731: Don't call SendQueuedMessages if message_id is bad 2023-09-14 07:54:48 -10:00
opac-renew.pl Bug 31735: Optimize OPAC checkouts view 2023-05-12 12:40:29 -03:00
opac-reportproblem.pl
opac-request-article.pl Bug 36072: opac-request-article should check syspref 2024-02-21 21:45:06 +00:00
opac-reserve.pl Bug 35977: (follow-up) Cleaner working approach 2024-05-28 20:36:11 +00:00
opac-reset-password.pl
opac-restrictedpage.pl
opac-retrieve-file.pl
opac-review.pl
opac-routing-lists.pl
opac-search-history.pl
opac-search.pl Bug 33819: Add page numbers to opac results breadcrumb 2023-10-09 08:50:38 -10:00
opac-sendbasket.pl Bug 36520: Sanitize input in opac-sendbasket.pl 2024-06-07 13:16:28 +00:00
opac-sendshelf.pl Bug 34731: Don't call SendQueuedMessages if message_id is bad 2023-09-14 07:54:48 -10:00
opac-serial-issues.pl
opac-shareshelf.pl
opac-shelves.pl Bug 36858: Remove warnings 2024-05-31 13:21:45 +00:00
opac-showmarc.pl
opac-showreviews.pl
opac-suggestions.pl Bug 33236: Move NewSuggestion to Koha::Suggestion->store 2023-06-09 12:04:46 -03:00
opac-tags.pl
opac-tags_subject.pl
opac-topissues.pl
opac-user.pl Bug 35496: (QA follow-up): tidy up code 2024-01-04 18:52:26 +00:00
tracklinks.pl
unapi