[Koha-patches] [PATCH] close security holes in patron search autocompletion
Galen Charlton
galen.charlton at liblime.com
Mon May 12 17:01:10 CEST 2008
* Added authorization check - user must have a valid
session cookie to use this feature; before this change,
anybody could use circ/ysearch.pl to retrieve the entire
patron directory without authorization.
* (bug 1953) now uses SQL placeholders
Note: this does, unfortunately, noticeably slow down automcompletion;
this indicates a need for factoring of C4::Auth to make authentication
for AJAX scripts as fast as possible.
---
circ/ysearch.pl | 22 ++++++++++++++--------
1 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/circ/ysearch.pl b/circ/ysearch.pl
index 2c60980..ee383aa 100755
--- a/circ/ysearch.pl
+++ b/circ/ysearch.pl
@@ -27,21 +27,27 @@
use strict;
use CGI;
use C4::Context;
+use C4::Auth qw/check_cookie_auth/;
my $input = new CGI;
my $query = $input->param('query');
print $input->header(-type => 'text/plain', -charset => 'UTF-8');
+my ($auth_status, $sessionID) = check_cookie_auth($input->cookie('CGISESSID'), { circulate => '*' });
+if ($auth_status ne "ok") {
+ exit 0;
+}
+
my $dbh = C4::Context->dbh;
-$query = "SELECT surname, firstname, cardnumber, address, city, zipcode ".
- "FROM borrowers " .
- "WHERE surname LIKE '". $query . "%' " .
- "OR firstname LIKE '" . $query . "%' " .
- #"OR cardnumber LIKE '" . $query . "%' " .
- "ORDER BY surname, firstname ";
-my $sth = $dbh->prepare( $query );
-$sth->execute();
+my $sql = qq(SELECT surname, firstname, cardnumber, address, city, zipcode
+ FROM borrowers
+ WHERE surname LIKE ?
+ OR firstname LIKE ?
+ ORDER BY surname, firstname);
+ #"OR cardnumber LIKE '" . $query . "%' " .
+my $sth = $dbh->prepare( $sql );
+$sth->execute("$query%", "$query%");
while ( my $rec = $sth->fetchrow_hashref ) {
print $rec->{surname} . ", " . $rec->{firstname} . "\t" .
$rec->{cardnumber} . "\t" .
--
1.5.5.rc0.16.g02b00
More information about the Koha-patches
mailing list