[Bug 37018] SQL injection using q under api/
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37018 --- Comment #160 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Marcel de Rooy from comment #158)
Good work, here guys!
When I am looking at the code of _validate_query, I am wondering if constructs like
priority => [ { '=', 2 }, { '>', 5 } ]
are parsed correctly? It seems that the inner hashes go recursively back into the routine, but the operators = and > here are viewed as field names and wont be checked with _validate_operator. Or am I misreading something?
Tested on http://localhost:8080/api/v1/public/biblios/1/items With q=[{"item_id":{"<":"5"}}] It generates WHERE `itemnumber` < '5' AND `me`.`biblionumber` = '1' q=[{"item_id":[{"<":"5"},{">":"2"}]}] generates WHERE ( `itemnumber` < '5' OR `itemnumber` > '2' ) AND `me`.`biblionumber` = '1' Work as expected. Do you have another concern about it? -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org