Hi, Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra. Does someone is aware about something like that ? Next an extract of patch (and after my comments): On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
diff --git a/C4/Breeding.pm b/C4/Breeding.pm index 9003f9a..cb04e14 100644 --- a/C4/Breeding.pm +++ b/C4/Breeding.pm
[...]
+sub build_query { + my $nterms=0; + my $title = $input->param('title')||''; + my $author = $input->param('author')||''; + my $isbn = $input->param('isbn')||''; + my $lccall = $input->param('lccall')||''; + my $subject = $input->param('subject')||''; + my $dewey = $input->param('dewey')||''; + my $controlnumber = $input->param('controlnumber')||''; + my $stdid = $input->param('stdid')||''; + my $srchany = $input->param('srchany')||''; + + if ($isbn) { + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" "; + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and "; + $nterms++; + } + if ($title) { + utf8::decode($title); + $zquery .= "\@attr 1=4 \"$title\" "; + $squery .= "[title]=\"$title\" and "; + $nterms++; + }
[...] First, some notes about code: - alls variables seems to come from userdata (input query), so are user controlled. - if one contains a double-quote escape in done (and could result invalid query) About zebra possible exploits (untested): - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ? - does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it') - or connection to another server ? (could expose local network area) - ... If someone have other ideas... If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query. Thanks. -- Frère Sébastien Marie Abbaye Notre Dame de La Trappe 61380 Soligny-la-Trappe Tél: 02.33.84.17.00 Fax: 02.33.34.98.57 Web: http://www.latrappe.fr/