From 8924439054fec94acabef6045f21369117e528f0 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Tue, 10 Jan 2017 18:06:51 +0100
Subject: [PATCH] Bug 17902: Fix possible SQL injection in serials editing

/cgi-bin/koha/serials/serials-edit.pl?serstatus=*/+,2,3,'2016-12-12','2016-12-12',6,'jjj7','jjj8'%20--%20-&subscriptionid=1+and+1%3d2+Union+all+select+111+/*

The SQL query is not constructed correctly, placeholders must be used.
Subscription id and status list can be provided by the user.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---
 C4/Serials.pm | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/C4/Serials.pm b/C4/Serials.pm
index 543b1dceb0..d1f92993bd 100644
--- a/C4/Serials.pm
+++ b/C4/Serials.pm
@@ -739,19 +739,20 @@ sub GetSerials2 {
 
     return unless ($subscription and @$statuses);
 
-    my $statuses_string = join ',', @$statuses;
-
     my $dbh   = C4::Context->dbh;
-    my $query = qq|
+    my $query = q|
                  SELECT serialid,serialseq, status, planneddate, publisheddate,
                     publisheddatetext, notes, routingnotes
                  FROM     serial 
-                 WHERE    subscriptionid=$subscription AND status IN ($statuses_string)
+                 WHERE    subscriptionid=?
+            |
+            . q| AND status IN (| . join( ",", ('?') x @$statuses ) . ")" . q|)|
+            . q|
                  ORDER BY publisheddate,serialid DESC
-                    |;
+    |;
     $debug and warn "GetSerials2 query: $query";
     my $sth = $dbh->prepare($query);
-    $sth->execute;
+    $sth->execute( $subscription, @$statuses );
     my @serials;
 
     while ( my $line = $sth->fetchrow_hashref ) {
-- 
2.20.1