qtype CGI param protection release notes

author Mike Rylander <mrylander@gmail.com>

Tue, 21 Feb 2023 21:53:53 +0000 (16:53 -0500)

committer Galen Charlton <gmc@equinoxOLI.org>

Thu, 23 Mar 2023 19:04:20 +0000 (15:04 -0400)
author Mike Rylander <mrylander@gmail.com>
Tue, 21 Feb 2023 21:53:53 +0000 (16:53 -0500)
committer Galen Charlton <gmc@equinoxOLI.org>
Thu, 23 Mar 2023 19:04:20 +0000 (15:04 -0400)
diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc

new file mode 100644 (file)

index 0000000..a4931b5
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc
@@ -0,0 +1,11 @@
+== Protect qtype CGI parameter ==
+
+Malicious DoS attempts have been witnessed in the wild making use of
+the fact that Evergreen does not check the contents of the qtype CGI
+parameter.  While these fail their intent, it would be better to
+simply drop such searches on the floor when they're seen.
+
+Evergreen will now confirm that the search class in the qtype parameter
+is valid, and that the remainder of the value is structured correctly,
+before processing the search request.
+
author	Mike Rylander <mrylander@gmail.com>
	Tue, 21 Feb 2023 21:53:53 +0000 (16:53 -0500)
committer	Galen Charlton <gmc@equinoxOLI.org>
	Thu, 23 Mar 2023 19:04:20 +0000 (15:04 -0400)