[Koha-patches] [PATCH] bug 1953 [1/2]: fixing SQL injection problem in C4::Context->preference
Andrew Moore
andrew.moore at liblime.com
Wed Jul 23 21:27:55 CEST 2008
C4::Context->preference was not using placeholders and was potentially vulnerable to
a SQL injectin attack. This patch refactors the method to use placeholders.
Added some tests for C4::Context.
---
C4/Context.pm | 8 ++--
t/lib/KohaTest/Context.pm | 54 ++++++++++++++++++++++++++++++++++
t/lib/KohaTest/Context/preference.pm | 54 ++++++++++++++++++++++++++++++++++
3 files changed, 112 insertions(+), 4 deletions(-)
create mode 100644 t/lib/KohaTest/Context.pm
create mode 100644 t/lib/KohaTest/Context/preference.pm
diff --git a/C4/Context.pm b/C4/Context.pm
index efd344f..e466177 100644
--- a/C4/Context.pm
+++ b/C4/Context.pm
@@ -456,15 +456,15 @@ sub preference
{
my $self = shift;
my $var = shift; # The system preference to return
- my $retval; # Return value
my $dbh = C4::Context->dbh or return 0;
# Look up systempreferences.variable==$var
- $retval = $dbh->selectrow_array(<<EOT);
+ my $sql = <<'END_SQL';
SELECT value
FROM systempreferences
- WHERE variable='$var'
+ WHERE variable=?
LIMIT 1
-EOT
+END_SQL
+ my $retval = $dbh->selectrow_array($sql, {}, $var);
return $retval;
}
diff --git a/t/lib/KohaTest/Context.pm b/t/lib/KohaTest/Context.pm
new file mode 100644
index 0000000..bba7f88
--- /dev/null
+++ b/t/lib/KohaTest/Context.pm
@@ -0,0 +1,54 @@
+package KohaTest::Context;
+use base qw( KohaTest );
+
+use strict;
+use warnings;
+
+use Test::More;
+
+use C4::Context;
+sub testing_class { 'C4::Context' };
+
+
+sub methods : Test( 1 ) {
+ my $self = shift;
+ my @methods = qw(
+ AUTOLOAD
+ boolean_preference
+ config
+ dbh
+ db_scheme2dbi
+ get_shelves_userenv
+ get_versions
+ import
+ KOHAVERSION
+ marcfromkohafield
+ ModZebrations
+ new
+ new_dbh
+ preference
+ read_config_file
+ restore_context
+ restore_dbh
+ set_context
+ set_dbh
+ set_shelves_userenv
+ set_userenv
+ stopwords
+ userenv
+ Zconn
+ zebraconfig
+ _common_config
+ _new_dbh
+ _new_marcfromkohafield
+ _new_stopwords
+ _new_userenv
+ _new_Zconn
+ _unset_userenv
+ );
+
+ can_ok( $self->testing_class, @methods );
+}
+
+1;
+
diff --git a/t/lib/KohaTest/Context/preference.pm b/t/lib/KohaTest/Context/preference.pm
new file mode 100644
index 0000000..2ad73d1
--- /dev/null
+++ b/t/lib/KohaTest/Context/preference.pm
@@ -0,0 +1,54 @@
+package KohaTest::Context::preference;
+use base qw( KohaTest::Context );
+
+use strict;
+use warnings;
+
+use Test::More;
+
+use C4::Context;
+sub testing_class { 'C4::Context' };
+
+
+=head2 STARTUP METHODS
+
+These get run once, before the main test methods in this module
+
+=cut
+
+=head2 TEST METHODS
+
+standard test methods
+
+=head3 preference_does_not_exist
+
+=cut
+
+sub preference_does_not_exist : Test( 1 ) {
+ my $self = shift;
+
+ my $missing = C4::Context->preference( 'doesnotexist' );
+
+ is( $missing, undef, 'a query for a missing syspref returns undef' )
+ or diag( Data::Dumper->Dump( [ $missing ], [ 'missing' ] ) );
+
+}
+
+
+=head3 version_preference
+
+=cut
+
+sub version_preference : Test( 1 ) {
+ my $self = shift;
+
+ my $version = C4::Context->preference( 'version' );
+
+ ok( $version, 'C4::Context->preference returns a good version number' )
+ or diag( Data::Dumper->Dump( [ $version ], [ 'version' ] ) );
+
+}
+
+
+
+1;
--
1.5.6
More information about the Koha-patches
mailing list