[Koha-bugs] [Bug 32637] API requests using Content-Type: application/x-www-form-urlencoded fail, user data treated as DB column name
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jan 16 22:08:14 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32637
--- Comment #1 from jpl <data-27FC05A3CB97 at office-dateien.de> ---
I did some testing it at does indeed appear that Koha tries to do a SQL query
with the user supplied JSON as a column name if that particular header is used:
curl -v -s -u kohaapi:kohaapi --request GET http://koha_testing/api/v1/patrons
--data-raw '{ "surname": { "-like": "Smith%" } }'
will result in the following query showing up in the mariadb General Query Log:
SELECT COUNT( * ) FROM `borrowers` `me` WHERE ( `{ "surname": { "-like":
"Smith%" } }` = '' )
Sending any other Content-type header results in a correct query:
SELECT COUNT( * ) FROM `borrowers` `me` WHERE ( `surname` LIKE 'Smith%' )
Arbitrary data can be put into that query since Koha won't check that the JSON
is valid if that header is used (only tested with 22.05):
SELECT COUNT( * ) FROM `borrowers` `me` WHERE ( `FooBar` = '' )
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list