Jonathan Druart
a70980d825
To recreate: /cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20 Look at the Profile dropdown list. To fix this problem and to make sure it does not appears anywhere else in the label and patroncards modules, I have refactored the way the queries are built in C4::Creators::Lib Now all of the subroutine takes a hashref in parameters with a 'fields' and 'filters' parameters. From these 2 parameters the new internal subroutine _build_query will build the query and use placeholders. Test plan: 1/ Make sure you do not recreate the vulnerability with this patch applied. 2/ With decent data in the labels and patroncards modules, compare all the different view (undef the New and Manage button groups) with and without this patch applied. => You should not see any differences. This vulnerability has been reported by MDSec. Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> |
||
|---|---|---|
| .. | ||
| label-create-csv.pl | ||
| label-create-pdf.pl | ||
| label-create-xml.pl | ||
| label-edit-batch.pl | ||
| label-edit-layout.pl | ||
| label-edit-profile.pl | ||
| label-edit-template.pl | ||
| label-home.pl | ||
| label-item-search.pl | ||
| label-manage.pl | ||
| label-print.pl | ||
| spinelabel-home.pl | ||
| spinelabel-print.pl | ||