]> git.koha-community.org Git - koha.git/commit
Bug 14521: SQL injection in local use system preferences
authorDavid Cook <dcook@prosentient.com.au>
Mon, 13 Jul 2015 04:06:46 +0000 (14:06 +1000)
committerTomas Cohen Arazi <tomascohen@unc.edu.ar>
Mon, 20 Jul 2015 13:15:27 +0000 (10:15 -0300)
commita72262a950aa701cebe460e2a3a7586edecd86be
tree49ab341032f9a1e8f0062df55927e2384e12a72f
parent09b34591b665228c3ab38d3d327224c2c59cee6e
Bug 14521: SQL injection in local use system preferences

This patch fixes a SQL injection vulnerability in the local use
system preferences.

_TEST PLAN_

Before applying:

1) Go to Global System Preferences
2) Click on the "Local use" tab
3) Add a new preference with the value "') or '1' = '1' -- "
(be sure to include the space at the end after the comment --).
4) When the page refreshes, you should now see about 99 other system
preferences which shouldn't be showing up.

5) Apply the patch

6) Refresh the page
7) Note that you now only see a system preference for "') or '1' = '1' -- "
and the other actual local use system preferences.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
admin/systempreferences.pl