[Koha-bugs] [Bug 34478] Full CSRF protection

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34478

--- Comment #183 from David Cook <dcook at prosentient.com.au> ---
(In reply to Fridolin Somers from comment #182)
> Not for backport I bet ?

I don't think that it would be possible to backport this one.

However, I have been thinking a bit about how to provide some protection to
stable branches. 

Locally, I've applied the following:
- Bug 36098 (the Koha::Session patches)
- Bug 34755: Backport Koha::Token change from bug 34478
- Bug 34478: Add csrf-token in meta

I've created a middleware based off Koha::Middleware::CSRF and then using a mix
of ideas from Marcel and myself, I've used Javascript to inject CSRF tokens
into forms and Koha API calls.

At the moment, I'm testing this on the OPAC, and then I'm going to look at the
Staff Interface.

I want to do some more thinking about how we can use "Strict" in the SameSite
attribute for the CGISESSID cookie to cover off CSRF for GET requests as well.
Less of a problem for 34478 because it fixes a lot of stateful GET requests,
but for older versions...

--

Long story short... it might be worth backporting just "Bug 34478: Add
csrf-token in meta" for now. Maybe a new bug report for that?

-- 
You are receiving this mail because:
You are watching all bug changes.