From 2b9f993842ec272434bbef961ac17ddd90718652 Mon Sep 17 00:00:00 2001
From: Mike Rylander <mrylander@gmail.com>
Date: Tue, 21 Feb 2023 16:53:53 -0500
Subject: [PATCH] qtype CGI param protection release notes

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
---
 docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc

diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc
new file mode 100644
index 0000000000..a4931b5bd1
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/qtype-param-protection.adoc
@@ -0,0 +1,11 @@
+== Protect qtype CGI parameter ==
+
+Malicious DoS attempts have been witnessed in the wild making use of
+the fact that Evergreen does not check the contents of the qtype CGI
+parameter.  While these fail their intent, it would be better to
+simply drop such searches on the floor when they're seen.
+
+Evergreen will now confirm that the search class in the qtype parameter
+is valid, and that the remainder of the value is structured correctly,
+before processing the search request.
+
-- 
2.11.0