projects / Evergreen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 15a4850) | patch
LP#1811685: qtype CGI parameter checking
authorMike Rylander <mrylander@gmail.com>
Thu, 17 Nov 2022 22:11:38 +0000 (17:11 -0500)
committerGalen Charlton <gmc@equinoxOLI.org>
Thu, 23 Mar 2023 19:04:58 +0000 (15:04 -0400)
commit3742dddc58a56f1c3a34596e3ff971b602bee83c
treeab07a06b36fc30a439cfe55f70159a0dabb376d2tree
parent15a4850e3e80652ef53b6f4cd212d68638d01743commit | diff
LP#1811685: qtype CGI parameter checking

With this commit we throw away searches with invalid qtype value based
on configured classes and aliases.  Invalid qtype values have been seen
in the wild as part of attempted (but failed) SQL injection attacks, so
we will tighten up what we accept.

As an additional (unrelated) bonus, this commit also avoids prepending
the search class on basic search when the class (from qytpe) is not
exactly "keyword".

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm diff | blob | history
Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 diff | blob | history
Open-ILS/src/templates/opac/parts/header.tt2 diff | blob | history
Evergreen ILS