[Koha-bugs] [Bug 10657] placeholder bug -- Galen will be filling this in shortly

[bugzilla-daemon at bugs.koha-community.org]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657

Galen Charlton <gmcharlt at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
   Patch complexity|---                         |Small patch
           Severity|enhancement                 |blocker

--- Comment #1 from Galen Charlton <gmcharlt at gmail.com> ---
When EnableOpacSearchHistory system preference is enabled, Koha stores recent
search history for anonymous OPAC sessions in a cookie called
KohaOpacRecentSearches.  In particular, it used to use the Storable Perl module
to serialize the array of hashrefs representing the recent searches.

However, the documentation for Storable strongly recommends [1] that data to be
deserialized *not* come from untrusted sources -- and cookies cannot be
considered trustworthy, as most web browsers (to say nothing of curl) allow the
user to modify them.  There is a theoretical possibility that a modification to
the KohaOpacRecentSearches cookie could result in the execution of unauthorized
code with the privileges of the Apache backend process.

The 29 July 2013 security update resolves the security issuing by replacing use
of the Storable module with the JSON, which doesn't by default serialize
blessed references and does not attempt to deserialize and execute coderefs. 
The payload of the cookie is checked for JSON-correctness and is ignored if it
doesn't contain a valid (double-URI-encoded) JSON object.  In particularly, any
old Storable-based cookies are silently ignored.

[1] http://perldoc.perl.org/Storable.html#SECURITY-WARNING

-- 
You are receiving this mail because:
You are watching all bug changes.