[Bug 10033] New: dangerous query in _koha_modify_item
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Bug ID: 10033 Summary: dangerous query in _koha_modify_item Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Cataloging Assignee: gmcharlt@gmail.com Reporter: fridolyn.somers@biblibre.com CC: m.de.rooy@rijksmuseum.nl The SQL query build in C4::Items::_koha_modify_item performs an update on a row of items table identified by itemnumber. Actually the query is build using a hash of datas : for my $key ( keys %$item ) { $query.="$key=?,"; push @bind, $item->{$key}; } But this hash contains 'itemnumber' key, so you get an update including the primary key. It is actually harmless but may be dangerous. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Fridolyn SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Assignee|gmcharlt@gmail.com |fridolyn.somers@biblibre.co | |m --- Comment #1 from Fridolyn SOMERS <fridolyn.somers@biblibre.com> --- Created attachment 17401 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17401&action=edit Proposed patch See commit comment. 1 line patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Fridolyn SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #17401|0 |1 is obsolete| | --- Comment #2 from Fridolyn SOMERS <fridolyn.somers@biblibre.com> --- Created attachment 17402 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17402&action=edit Proposed patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #17402|0 |1 is obsolete| | --- Comment #3 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 17541 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17541&action=edit Bug 10033 - dangerous query in _koha_modify_item The SQL query build in C4::Items::_koha_modify_item performs an update on a row of items table identified by itemnumber. Actually the query is build using a hash of datas : for my $key ( keys %$item ) { $query.="$key=?,"; push @bind, $item->{$key}; } But this hash contains 'itemnumber' key, so you get an update including the primary key. It is actually harmless but may be dangerous. This patch simply skips itemnumber key in above loop. Test plan : Check you can create and modify items. Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #17541|0 |1 is obsolete| | --- Comment #4 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 17794 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17794&action=edit Bug 10033 - dangerous query in _koha_modify_item The SQL query build in C4::Items::_koha_modify_item performs an update on a row of items table identified by itemnumber. Actually the query is build using a hash of datas : for my $key ( keys %$item ) { $query.="$key=?,"; push @bind, $item->{$key}; } But this hash contains 'itemnumber' key, so you get an update including the primary key. It is actually harmless but may be dangerous. This patch simply skips itemnumber key in above loop. Test plan : Check you can create and modify items. Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #5 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- QA Comment: Very small patch that probably does prevent a fictive situation to occur. But does not harm either. Tested adding and editing item. Out of scope, but did you notice that the error message from this same routine is just ignored in the calling routine? Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #6 from Jared Camins-Esakov <jcamins@cpbibliography.com> --- This patch has been pushed to master and 3.12.x. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10033 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable CC| |chris@bigballofwax.co.nz --- Comment #7 from Chris Cormack <chris@bigballofwax.co.nz> --- Pushed to 3.10.x and 3.8.x will be in 3.10.6 and 3.8.13 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org