From 1cdfcdf12bfa02818e5fbfda06a3d364983ec73b Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Mon, 12 May 2008 10:01:10 -0500 Subject: [PATCH] close security holes in patron search autocompletion * Added authorization check - user must have a valid session cookie to use this feature; before this change, anybody could use circ/ysearch.pl to retrieve the entire patron directory without authorization. * (bug 1953) now uses SQL placeholders Note: this does, unfortunately, noticeably slow down automcompletion; this indicates a need for factoring of C4::Auth to make authentication for AJAX scripts as fast as possible. Signed-off-by: Joshua Ferraro --- circ/ysearch.pl | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/circ/ysearch.pl b/circ/ysearch.pl index 2c609807c1..ee383aa740 100755 --- a/circ/ysearch.pl +++ b/circ/ysearch.pl @@ -27,21 +27,27 @@ use strict; use CGI; use C4::Context; +use C4::Auth qw/check_cookie_auth/; my $input = new CGI; my $query = $input->param('query'); print $input->header(-type => 'text/plain', -charset => 'UTF-8'); +my ($auth_status, $sessionID) = check_cookie_auth($input->cookie('CGISESSID'), { circulate => '*' }); +if ($auth_status ne "ok") { + exit 0; +} + my $dbh = C4::Context->dbh; -$query = "SELECT surname, firstname, cardnumber, address, city, zipcode ". - "FROM borrowers " . - "WHERE surname LIKE '". $query . "%' " . - "OR firstname LIKE '" . $query . "%' " . - #"OR cardnumber LIKE '" . $query . "%' " . - "ORDER BY surname, firstname "; -my $sth = $dbh->prepare( $query ); -$sth->execute(); +my $sql = qq(SELECT surname, firstname, cardnumber, address, city, zipcode + FROM borrowers + WHERE surname LIKE ? + OR firstname LIKE ? + ORDER BY surname, firstname); + #"OR cardnumber LIKE '" . $query . "%' " . +my $sth = $dbh->prepare( $sql ); +$sth->execute("$query%", "$query%"); while ( my $rec = $sth->fetchrow_hashref ) { print $rec->{surname} . ", " . $rec->{firstname} . "\t" . $rec->{cardnumber} . "\t" . -- 2.39.5