https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40943 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #26 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to Jonathan Druart from comment #25)
We were logging the full userenv for background jobs, I've deleted specifically 'session_id' from the userenv structure before we enqueue the job.
QA review welcome!
Are you removing it because someone with background jobs rights could pick the session id and impersonate others through some cookie mangling? If that's the case, the follow-up looks correct to me. Adding a test on `$job_context->{session_id}` not existing in the data structure might be worth. I guess it can be inferid from the context (the 'delete' line above). -- You are receiving this mail because: You are watching all bug changes.