git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Mon, 13 Jul 2015 04:06:46 +0000 (14:06 +1000)
committer	Chris Cormack <chrisc@catalyst.net.nz>
	Tue, 21 Jul 2015 04:02:14 +0000 (16:02 +1200)
commit	b928430696cf25ed705e463af24639f2876475ab
tree	0086a20cfa299ba590064050bba48336f0173fc0	tree \| snapshot
parent	0df49d540612fe841365d9b6c4c7265fdb65c737	commit \| diff

Bug 14521: SQL injection in local use system preferences

This patch fixes a SQL injection vulnerability in the local use
system preferences.

_TEST PLAN_

Before applying:

1) Go to Global System Preferences
2) Click on the "Local use" tab
3) Add a new preference with the value "') or '1' = '1' -- "
(be sure to include the space at the end after the comment --).
4) When the page refreshes, you should now see about 99 other system
preferences which shouldn't be showing up.

5) Apply the patch

6) Refresh the page
7) Note that you now only see a system preference for "') or '1' = '1' -- "
and the other actual local use system preferences.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit a72262a950aa701cebe460e2a3a7586edecd86be)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>