LP#1811685: qtype CGI parameter checking
authorMike Rylander <mrylander@gmail.com>
Thu, 17 Nov 2022 22:11:38 +0000 (17:11 -0500)
committerGalen Charlton <gmc@equinoxOLI.org>
Thu, 23 Mar 2023 19:04:15 +0000 (15:04 -0400)
commita8efc39d4569362d6ee232e75e19a35dba2faa9a
tree1b31376ba890917bfcac45d7df9400597cb4c324
parent2845dc07d156e607ada2aab25955524e4d067125
LP#1811685: qtype CGI parameter checking

With this commit we throw away searches with invalid qtype value based
on configured classes and aliases.  Invalid qtype values have been seen
in the wild as part of attempted (but failed) SQL injection attacks, so
we will tighten up what we accept.

As an additional (unrelated) bonus, this commit also avoids prepending
the search class on basic search when the class (from qytpe) is not
exactly "keyword".

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm
Open-ILS/src/templates-bootstrap/opac/parts/header.tt2
Open-ILS/src/templates/opac/parts/header.tt2