From: Mike Rylander <mrylander@gmail.com>
Date: Tue, 21 Feb 2023 21:53:53 +0000 (-0500)
Subject: qtype CGI param protection release notes
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=58e4514aef8f53af748180b60555167f59deb010;p=Evergreen.git

qtype CGI param protection release notes

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
---

diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc
new file mode 100644
index 0000000000..a4931b5bd1
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc
@@ -0,0 +1,11 @@
+== Protect qtype CGI parameter ==
+
+Malicious DoS attempts have been witnessed in the wild making use of
+the fact that Evergreen does not check the contents of the qtype CGI
+parameter.  While these fail their intent, it would be better to
+simply drop such searches on the floor when they're seen.
+
+Evergreen will now confirm that the search class in the qtype parameter
+is valid, and that the remainder of the value is structured correctly,
+before processing the search request.
+