[Koha-devel] security question about injection in Zebra
Fridolyn SOMERS
fridolyn.somers at gmail.com
Fri Jul 8 09:42:55 CEST 2011
Hie,
A just question indeed.
About : - if one contains a double-quote escape in done (and could result
invalid query)
You should open a bug.
I think replacing double-quotes with a space should work, double quotes are
considered by Zebra like a space between 2 words.
Needs more investigation.
Regards,
2011/6/30 Frère Sébastien <sebastien.marie at latrappe.fr>
> Hi,
>
> Seeing the patch proposed by Marcel de Rooy for bug 6536, a question
> arrived in my mind about injection of code in Zebra.
>
> Does someone is aware about something like that ?
>
> Next an extract of patch (and after my comments):
>
> On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
> > Z3950 Enhancements: SRU search targets, MARC conversion and additional
> XSLT processing
> >
> > diff --git a/C4/Breeding.pm b/C4/Breeding.pm
> > index 9003f9a..cb04e14 100644
> > --- a/C4/Breeding.pm
> > +++ b/C4/Breeding.pm
>
> [...]
>
> > +sub build_query {
> > + my $nterms=0;
> > + my $title = $input->param('title')||'';
> > + my $author = $input->param('author')||'';
> > + my $isbn = $input->param('isbn')||'';
> > + my $lccall = $input->param('lccall')||'';
> > + my $subject = $input->param('subject')||'';
> > + my $dewey = $input->param('dewey')||'';
> > + my $controlnumber = $input->param('controlnumber')||'';
> > + my $stdid = $input->param('stdid')||'';
> > + my $srchany = $input->param('srchany')||'';
> > +
> > + if ($isbn) {
> > + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" ";
> > + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and ";
> > + $nterms++;
> > + }
> > + if ($title) {
> > + utf8::decode($title);
> > + $zquery .= "\@attr 1=4 \"$title\" ";
> > + $squery .= "[title]=\"$title\" and ";
> > + $nterms++;
> > + }
>
> [...]
>
>
> First, some notes about code:
> - alls variables seems to come from userdata (input query), so are user
> controlled.
> - if one contains a double-quote escape in done (and could result invalid
> query)
>
>
> About zebra possible exploits (untested):
> - yaz-client (Z39.50 client) permit bang pattern for shell invocation,
> does the library too ?
> - does zebra permit anonymous index write ? (resulting index corruption,
> possible affection of koha for places where data are read from zebra, and
> use 'as-it')
> - or connection to another server ? (could expose local network area)
> - ...
>
> If someone have other ideas...
>
>
> If zebra library permit use of placeholders, we should use them. Else
> perhaps develop a small function for variable escapment before inclusion in
> zebra query.
>
> Thanks.
> --
> Frère Sébastien Marie
> Abbaye Notre Dame de La Trappe
> 61380 Soligny-la-Trappe
> Tél: 02.33.84.17.00
> Fax: 02.33.34.98.57
> Web: http://www.latrappe.fr/
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>
--
Fridolyn SOMERS
ICT engineer
PROGILONE - Lyon - France
fridolyn.somers at gmail.com
-------------- section suivante --------------
Une pi?ce jointe HTML a ?t? nettoy?e...
URL: </pipermail/koha-devel/attachments/20110708/23a7846b/attachment.htm>
More information about the Koha-devel
mailing list