https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37614 Bug ID: 37614 Summary: Printing patron cards from patron lists broken by CSRF protection Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Tools Assignee: koha-bugs@lists.koha-community.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org CC: jonathan.druart@gmail.com, oleonard@myacpl.org Blocks: 36192 Steps to reproduce: 1. Tools - Patrons lists, if you don't already have one then New list, name and save, Search for patrons, add at least one patron, then return to Patron lists. 2. In the Actions menu for your patron list, select Print patron cards 3. In that perfectly normal looking popup, click Export. You now have a popup with an Loading throbber, which will hang forever, and in your console you have a 403 error from trying to GET patroncards/print.pl. If you go back and inspect the page where you clicked Export, you'll find that it is a button type='submit' in a form with method='post' which makes the GET seem a bit odd. To see that it sometimes posts, 1. Tools - Patron card creator - New card batch - Add at least one patron 2. Export card batch 3. You get a popup with a lovely Windows 95 aesthetic courtesy of greybox.inc, but it is that same form method='post' with the same type='submit' Export button. Click Export and you will POST to patroncards/print.pl and things will work just fine. Not at all clear to me how opening the popup one way turns the POST to a GET, but it does. There's a FIXME in patroncards/print.pl saying that the op=cud-export looks sus, which it does. You could try to make the case that it's sensible to POST because in the case where you have selected some but not all of the patrons in a label batch, the number of label_id params in the URL could be so high that it exceeds Apache's max URL length, but then the result of the POST is a link to create the PDF that is the actual "print" export, and that link is a GET which contains all of them with an over-escaped &label_id= param for each one. So a pragmatic fix would be to just change from a POST to a GET, change cud-export to export, and not worry about why called one way it POSTs and called another way it GETs. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.