]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f78a0c4) | patch
Bug 17901: Fix possible SQL injection in shelf editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 13 Jan 2017 16:03:41 +0000 (17:03 +0100)
committerMason James <mtj@kohaaloha.com>
Mon, 30 Jan 2017 22:21:33 +0000 (11:21 +1300)
commit29f1280ff043c5020b30738735061cbbacc1a74f
treebd5842056ff23692f0d67bda4503aa6e39cf890dtree | snapshot
parentf78a0c4eadf638ff8becdd63881165f807c00f85commit | diff
Bug 17901: Fix possible SQL injection in shelf editing

It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1

Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.

However it would be good to limit the possible values for sortfield.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 45cffd874c62c7b090390c5fb3c955c31f524608)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
opac/opac-shelves.pl diff | blob | history
virtualshelves/shelves.pl diff | blob | history
Main Koha release repository