projects / Evergreen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 22ac69b) | patch
LP#1811685: qtype CGI parameter checking
authorMike Rylander <mrylander@gmail.com>
Thu, 17 Nov 2022 22:11:38 +0000 (17:11 -0500)
committerGalen Charlton <gmc@equinoxOLI.org>
Thu, 23 Mar 2023 19:05:06 +0000 (15:05 -0400)
commitfa61636855946fd82300207a3f637d83cbac67c1
treec147722d1560b5954c3cec01b5648dd61cf44cddtree
parent22ac69ba5195ece2bd5ccdf339702ddb20995ae5commit | diff
LP#1811685: qtype CGI parameter checking

With this commit we throw away searches with invalid qtype value based
on configured classes and aliases.  Invalid qtype values have been seen
in the wild as part of attempted (but failed) SQL injection attacks, so
we will tighten up what we accept.

As an additional (unrelated) bonus, this commit also avoids prepending
the search class on basic search when the class (from qytpe) is not
exactly "keyword".

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm diff | blob | history
Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 diff | blob | history
Open-ILS/src/templates/opac/parts/header.tt2 diff | blob | history
Evergreen ILS