It has been reported that
/cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1
Could lead to SQL injection
Actually it explodes because the generated SQL query is not correctly formated.
However it would be good to limit the possible values for sortfield.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
$shelf = Koha::Virtualshelves->find($shelfnumber);
if ( $shelf ) {
$op = $referer;
$shelf = Koha::Virtualshelves->find($shelfnumber);
if ( $shelf ) {
$op = $referer;
+ my $sortfield = $query->param('sortfield');
+ $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
if ( $shelf->can_be_managed( $loggedinuser ) ) {
$shelf->shelfname( $query->param('shelfname') );
if ( $shelf->can_be_managed( $loggedinuser ) ) {
$shelf->shelfname( $query->param('shelfname') );
- $shelf->sortfield( $query->param('sortfield') );
+ $shelf->sortfield( $sortfield );
$shelf->allow_add( $query->param('allow_add') );
$shelf->allow_delete_own( $query->param('allow_delete_own') );
$shelf->allow_delete_other( $query->param('allow_delete_other') );
$shelf->allow_add( $query->param('allow_add') );
$shelf->allow_delete_own( $query->param('allow_delete_own') );
$shelf->allow_delete_other( $query->param('allow_delete_other') );
if ( $shelf->can_be_viewed( $loggedinuser ) ) {
$category = $shelf->category;
my $sortfield = $query->param('sortfield') || $shelf->sortfield; # Passed in sorting overrides default sorting
if ( $shelf->can_be_viewed( $loggedinuser ) ) {
$category = $shelf->category;
my $sortfield = $query->param('sortfield') || $shelf->sortfield; # Passed in sorting overrides default sorting
+ $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
my $direction = $query->param('direction') || 'asc';
$direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
my ( $page, $rows );
my $direction = $query->param('direction') || 'asc';
$direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
my ( $page, $rows );
can_delete_shelf => $shelf->can_be_deleted($loggedinuser),
can_remove_biblios => $shelf->can_biblios_be_removed($loggedinuser),
can_add_biblios => $shelf->can_biblios_be_added($loggedinuser),
can_delete_shelf => $shelf->can_be_deleted($loggedinuser),
can_remove_biblios => $shelf->can_biblios_be_removed($loggedinuser),
can_add_biblios => $shelf->can_biblios_be_added($loggedinuser),
- sortfield => $sortfield,
itemsloop => \@items,
sortfield => $sortfield,
direction => $direction,
itemsloop => \@items,
sortfield => $sortfield,
direction => $direction,
if ( $shelf ) {
$op = $referer;
if ( $shelf ) {
$op = $referer;
+ my $sortfield = $query->param('sortfield');
+ $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
if ( $shelf->can_be_managed( $loggedinuser ) ) {
$shelf->shelfname( scalar $query->param('shelfname') );
if ( $shelf->can_be_managed( $loggedinuser ) ) {
$shelf->shelfname( scalar $query->param('shelfname') );
- $shelf->sortfield( scalar $query->param('sortfield') );
+ $shelf->sortfield( $sortfield );
$shelf->allow_add( scalar $query->param('allow_add') );
$shelf->allow_delete_own( scalar $query->param('allow_delete_own') );
$shelf->allow_delete_other( scalar $query->param('allow_delete_other') );
$shelf->allow_add( scalar $query->param('allow_add') );
$shelf->allow_delete_own( scalar $query->param('allow_delete_own') );
$shelf->allow_delete_other( scalar $query->param('allow_delete_other') );
if ( $shelf ) {
if ( $shelf->can_be_viewed( $loggedinuser ) ) {
my $sortfield = $query->param('sortfield') || $shelf->sortfield || 'title'; # Passed in sorting overrides default sorting
if ( $shelf ) {
if ( $shelf->can_be_viewed( $loggedinuser ) ) {
my $sortfield = $query->param('sortfield') || $shelf->sortfield || 'title'; # Passed in sorting overrides default sorting
+ $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber );
my $direction = $query->param('direction') || 'asc';
$direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
my ( $rows, $page );
my $direction = $query->param('direction') || 'asc';
$direction = 'asc' if $direction ne 'asc' and $direction ne 'desc';
my ( $rows, $page );