[Bug 37018] SQL injection using q under api/
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37018 --- Comment #161 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #160)
Work as expected.
Do you have another concern about it?
Yes, the validation allows invalid operators at a deeper level as mentioned in earlier comment. Here is proof: Run this script use Modern::Perl; use Data::Dumper qw/Dumper/; use Koha::REST::Plugin::Query; my $query = { priority => [ { '=', 2 }, { '>', 5 } ] }; print Dumper( Koha::REST::Plugin::Query::_validate_query( $query ) ); $query = { priority => [ { '||', 2 }, { ';;', 5 } ] }; print Dumper( Koha::REST::Plugin::Query::_validate_query( $query ) ); $query = { "item_id" => { "<", "5" } }; print Dumper( Koha::REST::Plugin::Query::_validate_query( $query ) ); $query = { "item_id" => { "||", "5" } }; print Dumper( Koha::REST::Plugin::Query::_validate_query( $query ) ); As you can see, the second query is invalid with || operator and the fourth query is invalid too. What are the results: $VAR1 = ''; $VAR1 = ''; $VAR1 = ''; [Invalid operator found in query] This shows that the second query is approved, and only the fourth is rejected (where the operator is a level higher in the recursion). That is actually wrong. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org