[koha-commits] main Koha release repository branch 3.14.x updated. v3.14.15-16-g5331865

Git repo owner gitmaster at git.koha-community.org
Tue Jun 23 14:24:07 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.14.x has been updated
       via  533186576bf8885eda8b39cb61bb72388a4d9545 (commit)
      from  4e1b447b4cd9e4781b03fbf78fe027ca80580a33 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 533186576bf8885eda8b39cb61bb72388a4d9545
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date:   Mon Jun 22 10:56:26 2015 +0200

    Bug 14426: Escape or use placeholders for sql parameters
    
    Does this patch enough to prevent sql injection in borrowers_out.pl?
    
    ====================================================================
    1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
    ====================================================================
    
    echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
    HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
    186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')"
    | nc testbox 9002
    
    echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
    HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
    186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')"
    | nc testbox 9002
    
    ====================================================================
    2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
    ====================================================================
    
    echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
    HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
    183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a"
    | nc testbox 9002
    
    echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
    HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
    183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b"
    | nc testbox 9002
    
    ====================================================================
    
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
    (cherry picked from commit f260c56838d5c914831b7de1171df11fa5714ce1)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>

-----------------------------------------------------------------------

Summary of changes:
 reports/borrowers_out.pl |   41 ++++++++++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 15 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list