From 551b95284ef1cc49016b2f5ebdf8c6e3993a7f2c Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Wed, 23 Jul 2008 14:27:55 -0500 Subject: [PATCH] bug 1953 [1/2]: fixing SQL injection problem in C4::Context->preference C4::Context->preference was not using placeholders and was potentially vulnerable to a SQL injectin attack. This patch refactors the method to use placeholders. Added some tests for C4::Context. Signed-off-by: Joshua Ferraro --- C4/Context.pm | 8 ++--- t/lib/KohaTest/Context.pm | 54 ++++++++++++++++++++++++++++ t/lib/KohaTest/Context/preference.pm | 54 ++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 4 deletions(-) create mode 100644 t/lib/KohaTest/Context.pm create mode 100644 t/lib/KohaTest/Context/preference.pm diff --git a/C4/Context.pm b/C4/Context.pm index efd344ff07..e466177ab0 100644 --- a/C4/Context.pm +++ b/C4/Context.pm @@ -456,15 +456,15 @@ sub preference { my $self = shift; my $var = shift; # The system preference to return - my $retval; # Return value my $dbh = C4::Context->dbh or return 0; # Look up systempreferences.variable==$var - $retval = $dbh->selectrow_array(<selectrow_array($sql, {}, $var); return $retval; } diff --git a/t/lib/KohaTest/Context.pm b/t/lib/KohaTest/Context.pm new file mode 100644 index 0000000000..bba7f888b7 --- /dev/null +++ b/t/lib/KohaTest/Context.pm @@ -0,0 +1,54 @@ +package KohaTest::Context; +use base qw( KohaTest ); + +use strict; +use warnings; + +use Test::More; + +use C4::Context; +sub testing_class { 'C4::Context' }; + + +sub methods : Test( 1 ) { + my $self = shift; + my @methods = qw( + AUTOLOAD + boolean_preference + config + dbh + db_scheme2dbi + get_shelves_userenv + get_versions + import + KOHAVERSION + marcfromkohafield + ModZebrations + new + new_dbh + preference + read_config_file + restore_context + restore_dbh + set_context + set_dbh + set_shelves_userenv + set_userenv + stopwords + userenv + Zconn + zebraconfig + _common_config + _new_dbh + _new_marcfromkohafield + _new_stopwords + _new_userenv + _new_Zconn + _unset_userenv + ); + + can_ok( $self->testing_class, @methods ); +} + +1; + diff --git a/t/lib/KohaTest/Context/preference.pm b/t/lib/KohaTest/Context/preference.pm new file mode 100644 index 0000000000..2ad73d1100 --- /dev/null +++ b/t/lib/KohaTest/Context/preference.pm @@ -0,0 +1,54 @@ +package KohaTest::Context::preference; +use base qw( KohaTest::Context ); + +use strict; +use warnings; + +use Test::More; + +use C4::Context; +sub testing_class { 'C4::Context' }; + + +=head2 STARTUP METHODS + +These get run once, before the main test methods in this module + +=cut + +=head2 TEST METHODS + +standard test methods + +=head3 preference_does_not_exist + +=cut + +sub preference_does_not_exist : Test( 1 ) { + my $self = shift; + + my $missing = C4::Context->preference( 'doesnotexist' ); + + is( $missing, undef, 'a query for a missing syspref returns undef' ) + or diag( Data::Dumper->Dump( [ $missing ], [ 'missing' ] ) ); + +} + + +=head3 version_preference + +=cut + +sub version_preference : Test( 1 ) { + my $self = shift; + + my $version = C4::Context->preference( 'version' ); + + ok( $version, 'C4::Context->preference returns a good version number' ) + or diag( Data::Dumper->Dump( [ $version ], [ 'version' ] ) ); + +} + + + +1; -- 2.39.5