Uploaded image for project: 'mod-courses'
  1. mod-courses
  2. MODCR-62

Item barcode search: Avoid CQL injection, use search index, search punctuation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: TBD
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.2.3
    • Labels:
    • Template:
    • Development Team:
      Thor

      Description

      CRUtil.lookupItemByBarcode uses

      barcode=$barcode

      This allows CQL injection if $barcode is *&limit=9999999

      CQL and percent encoding should be used.

      The = operator (single equals) is the full text search that ignores punctuation, but barcode may contain punctuation.

      The == operator (two equals) should be used instead, it is an exact match search that is backed by a database index and is fast.

      See also https://dev.folio.org/faqs/explain-cql/

        TestRail: Results

          Attachments

            Activity

              People

              Assignee:
              kurt Kurt Nordstrom
              Reporter:
              julianladisch Julian Ladisch
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  TestRail: Runs

                    TestRail: Cases