Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Main Koha release repository https://koha-community.org
28310 commits 35 branches 612 tags 1.8 GiB
Perl 45.3%
JavaScript 39.4%
HTML 7.2%
XSLT 3.9%
Vue 1.4%
Other 2.3%
Find a file
Jonathan Druart a70980d825 Bug 17900: Fix possible SQL injection in patron cards template editing 
To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:19:55 +00:00
acqui Bug 17771: aqorders.biblionumber was already part of the query 2017-01-19 12:00:16 +00:00
admin Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
api/v1 Bug 17086: Reword borrowers to patrons in Swagger tags for holds 2016-11-22 11:31:08 +00:00
authorities Bug 17118: (follow-up 15381) Fix regression when clearing a linked authority 2016-09-02 14:01:34 +00:00
basket Bug 17830: CSRF - Handle unicode characters in userid 2016-12-30 17:47:18 +00:00
C4 Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
catalogue Bug 13726: Make Koha::Acq::Bookseller using Koha::Object 2016-12-30 11:54:32 +00:00
cataloguing Bug 17629: Koha::Biblio - Remove ModBiblioframework 2017-01-13 12:37:08 +00:00
circ Bug 17588: ->get_issues has been replaced with ->checkouts 2017-01-20 14:25:35 +00:00
course_reserves Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
debian Bug 16733: [Follow-up] Add $home to api path too 2017-01-20 14:15:27 +00:00
docs Bug 7143: [QA Follow-up] Handling tabs 2017-01-19 13:42:30 +00:00
errors Bug 15288: Error pages: Code duplication removal and better translatability 2016-01-27 05:57:34 +00:00
etc Bug 7533: Add the template_cache_dir entry to koha-conf.xml 2017-01-20 14:13:52 +00:00
install_misc Bug 16770: Remove 2 other occurrences of libmemoize-memcached-perl 2016-06-24 14:05:56 +00:00
installer Bug 17813 - DBRev 16.12.00.006 2017-01-20 14:00:47 +00:00
Koha Bug 17501: [Follow-up] QA Requests 2017-01-20 14:20:07 +00:00
koha-tmpl Bug 17501: Remove Koha::Upload::get from Koha::Upload 2017-01-20 14:20:05 +00:00
labels Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
members Bug 17588: ->get_issues has been replaced with ->checkouts 2017-01-20 14:25:35 +00:00
misc Bug 17731: Remove noxml option from rebuild_zebra.pl 2017-01-19 13:05:08 +00:00
offline_circ Bug 17501: Remove Koha::Upload::get from Koha::Upload 2017-01-20 14:20:05 +00:00
opac Bug 17501: Move getCategories and httpheaders from Upload.pm 2017-01-20 14:20:05 +00:00
OpenILS Bug 9239 QA follow-up: remove stray debug code 2013-03-16 21:32:34 -04:00
patron_lists Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
patroncards Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
plugins Bug 15879: Allow multiple plugin directories to be defined in koha-conf.xml 2017-01-11 14:03:00 +00:00
reports Bug 17931: Remove unused vars from reserves_stats 2017-01-19 12:47:03 +00:00
reserve Bug 17556: Koha::Patrons - Remove GetHideLostItemsPreference 2016-12-09 18:53:40 +00:00
reviews Bug 15839: Koha::Reviews - Remove C4::Review residue 2016-09-09 10:31:00 +00:00
rotating_collections Bug 15758: Koha::Libraries - Remove GetBranches 2016-09-08 14:36:03 +00:00
serials Bug 13726: Fix for serials/acqui-search-result.pl 2016-12-30 11:54:32 +00:00
services Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
skel Bug 11078: Add locking to rebuild_zebra 2014-02-28 22:21:41 +00:00
sms Bug 15258: Fix Perl scripts declaring unused variables 2015-12-30 17:24:45 -07:00
suggestion Bug 17252 - Koha::AuthorisedValues - Remove GetAuthorisedValueByCode 2016-10-21 15:35:21 +00:00
svc Bug 17375: Search by dateofbirth - handle invalid dates 2016-10-27 13:18:32 +00:00
t Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
tags Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
test Bug 9819 - 'stopwords'-related code removed 2015-12-30 15:49:35 +00:00
tmp/modified_authorities changing DO_NOT_REMOVE to README.txt 2007-10-21 19:14:41 -05:00
tools Bug 17588: get_account_lines->get_balance has been replace with account->balance 2017-01-20 14:25:35 +00:00
virtualshelves Bug 17094: Make Koha::Virtualshelf methods return Koha::Objects-based objects 2016-10-11 13:14:46 +00:00
xt Bug 17469: Add missing sample notices fr-CA test 2017-01-19 13:39:10 +00:00
.editorconfig Bug 12545: Add EditorConfig.org file to the source tree 2014-08-22 11:07:45 -03:00
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap (RM followup) .mailmap updates 2015-05-22 17:02:21 -03:00
about.pl Bug 7533: Add a warning to the about page if template_cache_dir is not set 2017-01-20 14:13:53 +00:00
changelanguage.pl Bug 16776: Do not forget external language choice in language switcher 2016-08-10 13:51:33 +00:00
edithelp.pl Bug 16447: Remove occurrence of the borrow permission which does no longer exist 2016-05-05 21:28:14 +00:00
fix-perl-path.PL Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
help.pl Bug 16724: Fix link to the online documentation links 2016-06-24 12:00:42 +00:00
INSTALL Bug 17626: Remove existing install instructions and link to the wiki pages instead 2016-11-22 11:29:07 +00:00
install-CPAN.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
Koha.pm Bug 17813 - DBRev 16.12.00.006 2017-01-20 14:00:47 +00:00
koha_perl_deps.pl bug 10548: fix count of missing required dependencies by koha_perl_deps.pl 2013-07-11 14:03:32 +00:00
kohaversion.pl Bug 13758: Move the Koha version from kohaversion.pl 2015-05-07 11:39:04 -03:00
LICENSE Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
mainpage.pl Bug 14610 - Add and update scripts 2016-10-26 12:15:14 +00:00
Makefile.PL Bug 16083: [QA FOLLOWUP] Add more cli arguments. 2017-01-13 11:48:29 +00:00
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
README Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
README.md Bug 15465 [QA Followup] - Update wording, switch logo, add links 2016-02-24 04:02:26 +00:00
README.robots Bug 6411 add another example to README.robots 2011-07-05 14:48:05 +12:00
rewrite-config.PL Bug 16222: (QA followup) Add /api dir for the API 2016-04-20 21:18:36 +00:00

README.md

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-comminity.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo