[Koha-bugs] [Bug 32637] New: API requests using Content-Type: application/x-www-form-urlencoded fail, user data treated as DB column name
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jan 16 05:16:25 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32637
Bug ID: 32637
Summary: API requests using Content-Type:
application/x-www-form-urlencoded fail, user data
treated as DB column name
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: REST API
Assignee: koha-bugs at lists.koha-community.org
Reporter: data-27FC05A3CB97 at office-dateien.de
CC: tomascohen at gmail.com
Created attachment 145327
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=145327&action=edit
IRC log
Requests to the REST API will fail if the Content-type HTTP header is set to
application/x-www-form-urlencoded. This is the default header sent by curl if
nothing else is specified.
curl -v -s -u kohaapi:kohaapi --request GET http://koha_testing/api/v1/patrons
--data-raw '{ "surname": { "-like": "Smith%" } }'
{"error":"Something went wrong, check Koha logs for
details.","error_code":"internal_server_error"}
The following entry shows up in api-error.log
[ERROR] GET /api/v1/patrons: unhandled exception
(DBIx::Class::Exception)<<DBIx::Class::Storage::DBI::_dbh_execute(): DBI
Exception: DBD::mysql::st execute failed: Unknown column '{ "surname": {
"-like": "Smith%" } }' in 'where clause' at /usr/share/perl5/Data/Page.pm line
49>> Koha::REST::Plugin::Exceptions::__ANON__
/usr/share/koha/lib/Koha/REST/Plugin/Exceptions.pm (73)
Specifying any Content-type header, or not sending one at all will make the
issue go away:
curl -v -s -u kohaapi:kohaapi --header "Content-type: application/json"
--request GET http://koha_testing/api/v1/patrons --data-raw '{ "surname": {
"-like": "Smith%" } }'
It appears that sending Content-type: application/x-www-form-urlencoded causes
Koha to treat the complete user supplied data as a column name of the borrowers
table and running a query with it. It then fails because such a column does not
exist.
With Koha 22.05, the following will not cause an error, as firstname is a valid
column name in the borrowers table, so no query fails and no data is returned.
This also works with the items table.
curl -v -s -u kohaapi:kohaapi --request GET http://koha_testing/api/v1/patrons
--data-raw 'firstname'
This won't work if any Content-type header is set as this causes an error:
{"errors":[{"message":"Expected object - got
string.","path":"\/query"}],"status":400}
It appears that x-www-form-urlencoded also overrides the JSON sanity check.
It is not clear why x-www-form-urlencoded is treated special in the first place
and why using it allows user supplied data to be passed to the database
unchecked.
The security implications of this behavior would need to be checked too to
avoid things like SQL injections.
Tests were done on Koha 22.05 and 22.11 running on Debian Bullseye. Koha was
installed using the Debian packages on a newly installed machine.
The IRC log is attached.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list