[Koha-bugs] [Bug 8171] Improper escaping of quotes during z39.50 queries leads to potential malicious code execution

Fri Jun 1 17:26:15 CEST 2012

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8171

--- Comment #2 from William Hurley <bhurley at aihs.org> ---
You may be correct that I have not identified the source of the bug.  You are
incorrect when you say that the problem is that the quotation marks are not
escaped during the actual search.  The problem is that the quotation marks are
not escaped when one chooses edit-> replace record via z39.50.  If the title
contains double quotes, everything from the first set of quotes back
disappears, and is not transferred into the search window.  The quoted text
never makes it into the actual search.  

It is easy to replicate this bug.  Pick any title in your collection and edit
marc field $245a by appending "test quotes" at the end of the title.  Then
click on z39.50 search.  The words "test quote" do not appear in the pop-up
search window. Therefore, whatever module controls this behavior is not
properly escaping the quotes.  If you would kindly identify this module I would
be greatly appreciative.  Thanks for your quick response and all your help in
this matter.  

(In reply to comment #1)
> Hi William
> 
> On line 228 term is the name of the column. It is not the variable.
> 
> The variable is in 
> $sth->execute($query, $type, $serverlist, $requestid);
> 
> The query is escaped by use of placeholders ie the (?,?,?,?)
> 
> Which means $query is escaped and replaces the first ? in that list.
> 
> So that part is not the problem, I suspect the actual problem is that the ""
> are not escaped when doing the actual search.
> 
> Ill leave this open because it is a valid but, bug I don't think your
> solution will work (or addresses the problem :))
> 
> If you want to read up about placeholders please look here
> http://search.cpan.org/dist/DBI/DBI.pm#Placeholders_and_Bind_Values

-- 
You are receiving this mail because:
You are watching all bug changes.