From 649573ad244b95e1b90df7d0925f31f735ae50f7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fr=C3=A8re=20S=C3=A9bastien=20Marie?= Date: Wed, 27 Jul 2011 11:48:29 +0200 Subject: [PATCH] Bug 5131 :restrict use of sort_by value to allowed values The user input for sort_by value was used without care, resulting the possibility for user to set any Template Variable to 1. This patch restrict the values to sort field. The list of allowd_sortby was taken from 'includes/resort_form.inc'. Signed-off-by: Chris Cormack Signed-off-by: Paul Poulain Signed-off-by: Chris Cormack --- opac/opac-search.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/opac/opac-search.pl b/opac/opac-search.pl index cd3461071d..81b7ce61dd 100755 --- a/opac/opac-search.pl +++ b/opac/opac-search.pl @@ -285,10 +285,13 @@ if ( C4::Context->preference('OPACdefaultSortField') . C4::Context->preference('OPACdefaultSortOrder'); } +my @allowed_sortby = qw /acqdate_asc acqdate_dsc author_az author_za call_number_asc call_number_dsc popularity_asc popularity_dsc pubdate_asc pubdate_dsc relevance title_az title_za/; @sort_by = split("\0",$params->{'sort_by'}) if $params->{'sort_by'}; $sort_by[0] = $default_sort_by if !$sort_by[0] && defined($default_sort_by); foreach my $sort (@sort_by) { - $template->param($sort => 1); # FIXME: security hole. can set any TMPL_VAR here + if ( $sort ~~ @allowed_sortby ) { + $template->param($sort => 1); + } } $template->param('sort_by' => $sort_by[0]); -- 2.39.5