]> git.koha-community.org Git - koha.git/commit
Bug 17900: Fix possible SQL injection in patron cards template editing
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 13 Jan 2017 16:43:25 +0000 (17:43 +0100)
committerKatrin Fischer <katrin.fischer.83@web.de>
Mon, 30 Jan 2017 14:37:54 +0000 (15:37 +0100)
commit539758ba2a7b4f5005e5a659d9d6ba30c201f5ed
tree3231051bb9b995f953ab7d7e4b9229d0dd0f426e
parentf03a1bfe0ef671e59fc6cef8cd325a40ad0e91bb
Bug 17900: Fix possible SQL injection in patron cards template editing

To recreate:
/cgi-bin/koha/patroncards/edit-template.pl?op=edit&element_id=23%20and%201%3d2+union+all+select+1,user(),@@version+--%20

Look at the Profile dropdown list.

To fix this problem and to make sure it does not appears anywhere else
in the label and patroncards modules, I have refactored the way the
queries are built in C4::Creators::Lib
Now all of the subroutine takes a hashref in parameters with a 'fields'
and 'filters' parameters.
From these 2 parameters the new internal subroutine _build_query will
build the query and use placeholders.

Test plan:
1/ Make sure you do not recreate the vulnerability with this patch
applied.
2/ With decent data in the labels and patroncards modules, compare all
the different view (undef the New and Manage button groups) with and
without this patch applied.
=> You should not see any differences.

This vulnerability has been reported by MDSec.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a70980d8255a66c33539926796c06b29b26fbb40)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
C4/Creators/Lib.pm
labels/label-edit-profile.pl
labels/label-edit-template.pl
labels/label-manage.pl
labels/label-print.pl
patroncards/edit-profile.pl
patroncards/edit-template.pl
patroncards/manage.pl
patroncards/print.pl
t/db_dependent/Creators/Lib.t