http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10657
Galen Charlton <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Patch complexity|--- |Small patch Severity|enhancement |blocker --- Comment #1 from Galen Charlton <[email protected]> --- When EnableOpacSearchHistory system preference is enabled, Koha stores recent search history for anonymous OPAC sessions in a cookie called KohaOpacRecentSearches. In particular, it used to use the Storable Perl module to serialize the array of hashrefs representing the recent searches. However, the documentation for Storable strongly recommends [1] that data to be deserialized *not* come from untrusted sources -- and cookies cannot be considered trustworthy, as most web browsers (to say nothing of curl) allow the user to modify them. There is a theoretical possibility that a modification to the KohaOpacRecentSearches cookie could result in the execution of unauthorized code with the privileges of the Apache backend process. The 29 July 2013 security update resolves the security issuing by replacing use of the Storable module with the JSON, which doesn't by default serialize blessed references and does not attempt to deserialize and execute coderefs. The payload of the cookie is checked for JSON-correctness and is ignored if it doesn't contain a valid (double-URI-encoded) JSON object. In particularly, any old Storable-based cookies are silently ignored. [1] http://perldoc.perl.org/Storable.html#SECURITY-WARNING -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
