[Koha-bugs] [Bug 25339] Validate biblionumber on opac-basket.pl and opac-review.pl
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri May 15 01:17:59 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25339
--- Comment #7 from David Cook <dcook at prosentient.com.au> ---
(In reply to Jonathan Druart from comment #6)
> Why did you pick those 2 scripts? And why only biblionumber?
>
Wise questions. They were flagged by a security consultant, so I fixed them
locally, and posted the patches here to be upstreamed.
> If you want to fix this problem (it is not really an issue imo), you should
> do it all over the place, where we retrieve a variable that is supposed to
> be an id and we send it back to the template. I am pretty sure there are
> others.
>
As you say, it's not really a (critical) issue, as we've got the XSS risk
handled by the templates. Imho, it's just a bit embarrassing that we don't
validate the data more - but not problematic per se.
That said, I don't see an issue with patching it in some places and not all
places. (After all, previous efforts by Jared seem to have only patched it in
some places and not all places.)
I agree that there are certainly other places where this happens too.
> That being said, I don't see biblionumber passed to the template from
> opac-review.pl.
Good catch! The reason is actually rather amusing. It appears Bug 25340 (a bug
I reported the same day as this one but Owen fixed) removed the biblionumber
issue from opac-review.pl as well.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list