[Koha-devel] Using unsanitized data in regular expressions
Jonathan Druart
jonathan.druart at bugs.koha-community.org
Wed Mar 6 17:00:37 CET 2019
We already use it in several places. I found 28 occurrences in the current code.
Le lun. 4 mars 2019 à 04:00, David Cook <dcook at prosentient.com.au> a écrit :
>
> Hi all,
>
>
>
> I encountered a problem recently where create-pdf.pl was stuck in an infinite loop because a string passed into ‘$line =~ s/$1//;’ in C4::Patroncards::Patroncard contained “(TEST)” and it was treating the parentheses as metacharacters and not literal values.
>
>
>
> I fixed the problem by changing the line to ‘$line =~ s/\Q$1\E//;’, so that anything in $1 would be escaped, but it got me thinking about other parts of Koha. I’m not saying that it’s necessarily a problem in other parts of Koha, but that it might be good to be mindful of it.
>
>
>
> David Cook
>
> Systems Librarian
>
> Prosentient Systems
>
> 72/330 Wattle St
>
> Ultimo, NSW 2007
>
> Australia
>
>
>
> Office: 02 9212 0899
>
> Direct: 02 8005 0595
>
>
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
More information about the Koha-devel
mailing list