projects / Evergreen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 26e8be6) | patch
LP#1811685: qtype CGI parameter checking
authorMike Rylander <mrylander@gmail.com>
Thu, 17 Nov 2022 22:11:38 +0000 (17:11 -0500)
committerGalen Charlton <gmc@equinoxOLI.org>
Thu, 23 Mar 2023 19:05:22 +0000 (15:05 -0400)
commitc39fa94265a000b880fe72db1fbadc3ffb8a15c4
tree8b4d034134278746413c9b7eccea9966ec1b1058tree
parent26e8be6fa1de4fbe47d47c9179061a6555292752commit | diff
LP#1811685: qtype CGI parameter checking

With this commit we throw away searches with invalid qtype value based
on configured classes and aliases.  Invalid qtype values have been seen
in the wild as part of attempted (but failed) SQL injection attacks, so
we will tighten up what we accept.

As an additional (unrelated) bonus, this commit also avoids prepending
the search class on basic search when the class (from qytpe) is not
exactly "keyword".

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm diff | blob | history
Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 diff | blob | history
Open-ILS/src/templates/opac/parts/header.tt2 diff | blob | history
Evergreen ILS