From 14e2c2e5f70dc24a0621545aac8a1f8c568331d3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 10 Jan 2017 18:06:51 +0100 Subject: [PATCH] Bug 17902: Fix possible SQL injection in serials editing /cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/* The SQL query is not constructed correctly, placeholders must be used. Subscription id and status list can be provided by the user. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi Signed-off-by: Kyle M Hall (cherry picked from commit f42dbd67d1b960906fd2b98560e7e3724452bce9) Signed-off-by: Katrin Fischer --- C4/Serials.pm | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/C4/Serials.pm b/C4/Serials.pm index 543b1dceb0..d1f92993bd 100644 --- a/C4/Serials.pm +++ b/C4/Serials.pm @@ -739,19 +739,20 @@ sub GetSerials2 { return unless ($subscription and @$statuses); - my $statuses_string = join ',', @$statuses; - my $dbh = C4::Context->dbh; - my $query = qq| + my $query = q| SELECT serialid,serialseq, status, planneddate, publisheddate, publisheddatetext, notes, routingnotes FROM serial - WHERE subscriptionid=$subscription AND status IN ($statuses_string) + WHERE subscriptionid=? + | + . q| AND status IN (| . join( ",", ('?') x @$statuses ) . ")" . q|)| + . q| ORDER BY publisheddate,serialid DESC - |; + |; $debug and warn "GetSerials2 query: $query"; my $sth = $dbh->prepare($query); - $sth->execute; + $sth->execute( $subscription, @$statuses ); my @serials; while ( my $line = $sth->fetchrow_hashref ) { -- 2.39.5