Uploaded image for project: 'mod-courses'
  1. mod-courses
  2. MODCR-62

Item barcode search: Avoid CQL injection, use search index, search punctuation

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • TBD
    • Resolution: Done
    • None
    • 1.2.3
    • Thor

    Description

      CRUtil.lookupItemByBarcode uses

      barcode=$barcode

      This allows CQL injection if $barcode is *&limit=9999999

      CQL and percent encoding should be used.

      The = operator (single equals) is the full text search that ignores punctuation, but barcode may contain punctuation.

      The == operator (two equals) should be used instead, it is an exact match search that is backed by a database index and is fast.

      See also https://dev.folio.org/faqs/explain-cql/

      TestRail: Results

        Attachments

          Activity

            People

              kurt Kurt Nordstrom
              julianladisch Julian Ladisch
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                TestRail: Runs

                  TestRail: Cases