From: Jonathan Druart Date: Fri, 13 Jan 2017 16:03:41 +0000 (+0100) Subject: Bug 17901: Fix possible SQL injection in shelf editing X-Git-Url: http://git.rot13.org/?a=commitdiff_plain;h=45cffd874c62c7b090390c5fb3c955c31f524608;p=koha.git Bug 17901: Fix possible SQL injection in shelf editing It has been reported that /cgi-bin/koha/opac-shelves.pl?op=edit&referer=view&shelfnumber=146&owner=4&shelfname=testX&sortfield=titleaaaaaa\`&category=1 Could lead to SQL injection Actually it explodes because the generated SQL query is not correctly formated. However it would be good to limit the possible values for sortfield. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall --- diff --git a/opac/opac-shelves.pl b/opac/opac-shelves.pl index b29ade648c..237ad91cf1 100755 --- a/opac/opac-shelves.pl +++ b/opac/opac-shelves.pl @@ -105,9 +105,11 @@ if ( $op eq 'add_form' ) { $shelf = Koha::Virtualshelves->find($shelfnumber); if ( $shelf ) { $op = $referer; + my $sortfield = $query->param('sortfield'); + $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber ); if ( $shelf->can_be_managed( $loggedinuser ) ) { $shelf->shelfname( $query->param('shelfname') ); - $shelf->sortfield( $query->param('sortfield') ); + $shelf->sortfield( $sortfield ); $shelf->allow_add( $query->param('allow_add') ); $shelf->allow_delete_own( $query->param('allow_delete_own') ); $shelf->allow_delete_other( $query->param('allow_delete_other') ); @@ -226,6 +228,7 @@ if ( $op eq 'view' ) { if ( $shelf->can_be_viewed( $loggedinuser ) ) { $category = $shelf->category; my $sortfield = $query->param('sortfield') || $shelf->sortfield; # Passed in sorting overrides default sorting + $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber ); my $direction = $query->param('direction') || 'asc'; $direction = 'asc' if $direction ne 'asc' and $direction ne 'desc'; my ( $page, $rows ); @@ -326,7 +329,6 @@ if ( $op eq 'view' ) { can_delete_shelf => $shelf->can_be_deleted($loggedinuser), can_remove_biblios => $shelf->can_biblios_be_removed($loggedinuser), can_add_biblios => $shelf->can_biblios_be_added($loggedinuser), - sortfield => $sortfield, itemsloop => \@items, sortfield => $sortfield, direction => $direction, diff --git a/virtualshelves/shelves.pl b/virtualshelves/shelves.pl index 691e2153b6..de4db5154e 100755 --- a/virtualshelves/shelves.pl +++ b/virtualshelves/shelves.pl @@ -94,9 +94,11 @@ if ( $op eq 'add_form' ) { if ( $shelf ) { $op = $referer; + my $sortfield = $query->param('sortfield'); + $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber ); if ( $shelf->can_be_managed( $loggedinuser ) ) { $shelf->shelfname( scalar $query->param('shelfname') ); - $shelf->sortfield( scalar $query->param('sortfield') ); + $shelf->sortfield( $sortfield ); $shelf->allow_add( scalar $query->param('allow_add') ); $shelf->allow_delete_own( scalar $query->param('allow_delete_own') ); $shelf->allow_delete_other( scalar $query->param('allow_delete_other') ); @@ -197,6 +199,7 @@ if ( $op eq 'view' ) { if ( $shelf ) { if ( $shelf->can_be_viewed( $loggedinuser ) ) { my $sortfield = $query->param('sortfield') || $shelf->sortfield || 'title'; # Passed in sorting overrides default sorting + $sortfield = 'title' unless grep {/^$sortfield$/}qw( title author copyrightdate itemcallnumber ); my $direction = $query->param('direction') || 'asc'; $direction = 'asc' if $direction ne 'asc' and $direction ne 'desc'; my ( $rows, $page );