From a8efc39d4569362d6ee232e75e19a35dba2faa9a Mon Sep 17 00:00:00 2001 From: Mike Rylander Date: Thu, 17 Nov 2022 17:11:38 -0500 Subject: [PATCH] LP#1811685: qtype CGI parameter checking With this commit we throw away searches with invalid qtype value based on configured classes and aliases. Invalid qtype values have been seen in the wild as part of attempted (but failed) SQL injection attacks, so we will tighten up what we accept. As an additional (unrelated) bonus, this commit also avoids prepending the search class on basic search when the class (from qytpe) is not exactly "keyword". Signed-off-by: Mike Rylander Signed-off-by: Jason Stephenson Signed-off-by: Galen Charlton --- .../src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm | 15 +++++++++++++++ Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 | 2 +- Open-ILS/src/templates/opac/parts/header.tt2 | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm index bb845b2a5f..81132be100 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm @@ -10,11 +10,23 @@ use Data::Dumper; $Data::Dumper::Indent = 0; my $U = 'OpenILS::Application::AppUtils'; +my @_qtype_list; + sub _prepare_biblio_search_basics { my ($cgi) = @_; return scalar($cgi->param('query')) unless scalar($cgi->param('qtype')); + # fetch, once per mod_perl backend, the list of valid classes and aliases + unless (@_qtype_list) { + my $editor = new_editor(); + my $classes = $editor->retrieve_all_config_metabib_class(); + my $aliases = $editor->retrieve_all_config_metabib_search_alias(); + + push @_qtype_list, map { $_->name } @$classes; + push @_qtype_list, map { $_->alias } @$aliases; + } + my %parts; my @part_names = qw/qtype contains query bool/; $parts{$_} = [ $cgi->param($_) ] for (@part_names); @@ -42,6 +54,9 @@ sub _prepare_biblio_search_basics { $jtitle = 1; } + # This restricts qtype to classes, aliases, and field lists (approximately) + next unless grep { $qtype =~ /^$_(?:\|\w+)*$/ } @_qtype_list; + # This stuff probably will need refined or rethought to better handle # the weird things Real Users will surely type in. $contains = "" unless defined $contains; # silence warning diff --git a/Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 b/Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 index 4bda61ee92..52c6c777be 100755 --- a/Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 +++ b/Open-ILS/src/templates-bootstrap/opac/parts/header.tt2 @@ -9,7 +9,7 @@ # Don't wrap in l() here; do that where this format string is actually used. SET HUMAN_NAME_FORMAT = '[_1] [_2] [_3] [_4] [_5]'; - is_advanced = CGI.param("_adv").size || CGI.param("query").size; + is_advanced = CGI.param("_adv").size || CGI.param("query").size > 1; is_special = CGI.param("_special").size; # Check if we want to show the detail record view. Doing this diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2 index 2bf7bb0e3c..804edcc6e8 100644 --- a/Open-ILS/src/templates/opac/parts/header.tt2 +++ b/Open-ILS/src/templates/opac/parts/header.tt2 @@ -9,7 +9,7 @@ # Don't wrap in l() here; do that where this format string is actually used. SET HUMAN_NAME_FORMAT = '[_1] [_2] [_3] [_4] [_5]'; - is_advanced = CGI.param("_adv").size || CGI.param("query").size; + is_advanced = CGI.param("_adv").size || CGI.param("query").size > 1; is_special = CGI.param("_special").size; # Check if we want to show the detail record view. Doing this -- 2.11.0