From 56abb85b1a07c0f0b69b3f755fe9f19e7f311ec0 Mon Sep 17 00:00:00 2001 From: Hammat Wele Date: Thu, 27 Jun 2024 14:09:04 +0000 Subject: [PATCH] Bug 37210: Escape single quote in search string in overdue.pl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit To Test: 1. Go to /cgi-bin/koha/circ/overdue.pl 2. In the «Name or card number» field, type «Tommy'and(select(0)from(select(sleep(10)))v)and'» 3. Apply the filter ==> It takes 10 seconds, sleep(10) is executed 4. Inspect the page, in «Patron category:» field, put «Tommy'and(select(0)from(select(sleep(10)))v)and'» in one of his option's value 5. select the option from the filter and Apply the filter ==> It takes 10 seconds, sleep(10) is executed we can inject SQL to the followin field : borname, itemtype, borcat, holdingbranch, homebranch and branch 6. Apply the patch 7. Repeat step 1,2,3 ==> it doesn't take 10 seconds, the injected sql is not executed 8. Repeat step 5 ==> it doesn't take 10 seconds, the injected sql is not executed 9. Repeat step 5 with the followin field : itemtype, holdingbranch, homebranch and branch ==> it doesn't take 10 seconds, the injected sql is not executed Signed-off-by: Chris Cormack Signed-off-by: Marcel de Rooy Signed-off-by: Katrin Fischer --- circ/overdue.pl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/circ/overdue.pl b/circ/overdue.pl index 7c9e02eae4..38740fba22 100755 --- a/circ/overdue.pl +++ b/circ/overdue.pl @@ -231,6 +231,14 @@ if ($noreport) { $bornamefilter =~ s/\*/\%/g; $bornamefilter =~ s/\?/\_/g; + # Escape single quote + $bornamefilter =~s/'/\\'/g; + $itemtypefilter =~s/'/\\'/g; + $borcatfilter =~s/'/\\'/g; + $holdingbranchfilter =~s/'/\\'/g; + $homebranchfilter =~s/'/\\'/g; + $branchfilter =~s/'/\\'/g; + my $strsth = "SELECT date_due, borrowers.title as borrowertitle, borrowers.surname, -- 2.39.5