From 16e55c1f3283402f766ed844baa5db333ed2f585 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 11 Feb 2016 10:16:12 +0000 Subject: [PATCH] Bug 15760: Avoid SQL injections Asking on #dbix-class, ribasushi told me to set quote_names to the connection options. Indeed it does the fix, globally :) Test plan: 1/ Add the following snippet to the a script (mainpage.pl is a good candidate) use Koha::Virtualshelves; my $s = Koha::Virtualshelves->search({}, { order_by => '1,(select case when (3*2*1=6 AND 000227=000227) then 1 else 1*(select table_name from information_schema.tables)end)=1' }); $s->next; 2/ Execute the script => Without the patch, you should not get any error. If you have the mysql logs enable, you will see the query => With the patch applied, you will get a "unknown column" error Signed-off-by: Mirko Tietgen Signed-off-by: Tomas Cohen Arazi Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com --- Koha/Database.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Koha/Database.pm b/Koha/Database.pm index 82d831f180..a8f4eab9a8 100644 --- a/Koha/Database.pm +++ b/Koha/Database.pm @@ -79,6 +79,7 @@ sub _new_schema { RaiseError => $ENV{DEBUG} ? 1 : 0, PrintError => 1, unsafe => 1, + quote_names => 1, on_connect_do => [ $encoding_query || (), $tz_query || (), -- 2.39.5