Koha/labels
Jonathan Druart a70980d825 Bug 17900: Fix possible SQL injection in patron cards template editing
To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:19:55 +00:00
..
label-create-csv.pl Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
label-create-pdf.pl Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
label-create-xml.pl Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
label-edit-batch.pl Bug 17301: Follow-up - Standardize headings 2016-09-25 15:49:10 +00:00
label-edit-layout.pl Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
label-edit-profile.pl Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
label-edit-template.pl Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
label-home.pl
label-item-search.pl Bug 12748: (QA followup) fix several tiny QA tools warnings 2016-04-26 20:20:13 +00:00
label-manage.pl Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
label-print.pl Bug 17900: Fix possible SQL injection in patron cards template editing 2017-01-30 11:19:55 +00:00
spinelabel-home.pl Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
spinelabel-print.pl Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00