]> git.koha-community.org Git - koha.git/commit
Bug 14521: SQL injection in local use system preferences
authorDavid Cook <dcook@prosentient.com.au>
Mon, 13 Jul 2015 04:06:46 +0000 (14:06 +1000)
committerLiz Rea <wizzyrea@gmail.com>
Tue, 21 Jul 2015 04:06:37 +0000 (16:06 +1200)
commit9513b93c828dfbc4413f9e0df63647401aaf4e58
tree5c7ed408cfffb9903ed88ae66a4deacba6927a6f
parent21d6252b1f8680dee66e49d9083e96e70c0554b1
Bug 14521: SQL injection in local use system preferences

This patch fixes a SQL injection vulnerability in the local use
system preferences.

_TEST PLAN_

Before applying:

1) Go to Global System Preferences
2) Click on the "Local use" tab
3) Add a new preference with the value "') or '1' = '1' -- "
(be sure to include the space at the end after the comment --).
4) When the page refreshes, you should now see about 99 other system
preferences which shouldn't be showing up.

5) Apply the patch

6) Refresh the page
7) Note that you now only see a system preference for "') or '1' = '1' -- "
and the other actual local use system preferences.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit a72262a950aa701cebe460e2a3a7586edecd86be)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
admin/systempreferences.pl