Bug 10590 - in opac-topissues limit param is not protected

In opac-topissues page, the limit URL argument is directly added to SQL query.

This patch adds protections : limit must only contain digits and must be lower than 100.

Test plan :
- Edit URL to : /cgi-bin/koha/opac-topissues.pl?limit=10&branch=&itemtype=&timeLimit=999&do_it=1
=> You get the results of 10 most cheched-out of all time
- Edit URL to : /cgi-bin/koha/opac-topissues.pl?limit=&branch=&itemtype=&timeLimit=999&do_it=1
=> You get the results of 10 most cheched-out of all time
- Edit URL to : /cgi-bin/koha/opac-topissues.pl?limit=9999&branch=&itemtype=&timeLimit=999&do_it=1
=> You get the results of 100 most cheched-out of all time
- Edit URL to : /cgi-bin/koha/opac-topissues.pl?limit=WHERE&branch=&itemtype=&timeLimit=999&do_it=1
=> You get the results of 10 most cheched-out of all time

Signed-off-by: Robin Sheat <robin@catalyst.net.nz>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>

diff --git a/opac/opac-topissues.pl b/opac/opac-topissues.pl
index 38c6df0..41d7c84 100755 (executable)
--- a/opac/opac-topissues.pl
+++ b/opac/opac-topissues.pl
@@ -52,7 +52,9 @@ my ($template, $borrowernumber, $cookie)
                                });
 my $dbh = C4::Context->dbh;
 # Displaying results
-my $limit = $input->param('limit') || 10;
+my $limit = $input->param('limit');
+$limit = 10 unless ($limit && $limit =~ /^\d+$/); # control user input for SQL query
+$limit = 100 if $limit > 100;
 my $branch = $input->param('branch') || '';
 my $itemtype = $input->param('itemtype') || '';
 my $timeLimit = $input->param('timeLimit') || 3;