git.evergreen-ils.org Git - Evergreen.git/commit

author	Jason Boyer <JBoyer@equinoxinitiative.org>
	Tue, 15 Sep 2020 13:41:30 +0000 (09:41 -0400)
committer	Galen Charlton <gmc@equinoxOLI.org>
	Fri, 14 May 2021 21:40:24 +0000 (17:40 -0400)
commit	08a15a73408fb63181fea57d2a4d303779746b0a
tree	22e73ada943522467533f537cc2a659dcaa04efd	tree
parent	e6821d5739cb55b7aed3c381bd2ccb3997d9ca94	commit \| diff

LP1895660: EGCatLoader/Search.pm

CGI::param called in list context from ...
this can lead to vulnerabilities

For any call to $cgi->param that happens in a list context we need
to verify 2 things: 1, that it is intentional (otherwise use scalar())
and 2, that we don't use the results in an unsafe manner.
For those situations where it's safe and a list is expected (join,
foreach, etc.) there is a $cgi->multi_param() that behaves the same way
but does not issue a warning on use in a list context.

An assumption was made that there will only be a single 'query'
parameter (see _prepare_biblio_search_basics) but if that should
instead be run through a join() that function will need to be updated.

For more details about the potential issues read
https://metacpan.org/pod/distribution/CGI/lib/CGI.pod#Fetching-the-value-or-values-of-a-single-named-parameter

Note that this change will likely require additional testing to
be sure there are no surprises.

Signed-off-by: Jason Boyer <JBoyer@equinoxinitiative.org>
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>