From 22e8490db15872a97367ff646f18f3fdc12da335 Mon Sep 17 00:00:00 2001 From: Mike Rylander Date: Tue, 21 Feb 2023 16:53:53 -0500 Subject: [PATCH] qtype CGI param protection release notes Signed-off-by: Mike Rylander Signed-off-by: Galen Charlton --- docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc new file mode 100644 index 0000000000..a4931b5bd1 --- /dev/null +++ b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc @@ -0,0 +1,11 @@ +== Protect qtype CGI parameter == + +Malicious DoS attempts have been witnessed in the wild making use of +the fact that Evergreen does not check the contents of the qtype CGI +parameter. While these fail their intent, it would be better to +simply drop such searches on the floor when they're seen. + +Evergreen will now confirm that the search class in the qtype parameter +is valid, and that the remainder of the value is structured correctly, +before processing the search request. + -- 2.11.0