https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887 Bug ID: 37887 Summary: OPAC password recovery needs to use a cud- op while POSTing new password Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P3 Component: OPAC Assignee: phil@chetcolibrary.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org Depends on: 36192 Blocks: 37728 The intention of the CSRF protection from bug 36192 was that any form that used method="post" would have to have a param named 'op' which started with 'cud-' but the test that verifies they do missed the case of a template with more than one form. Bug 37728 corrects that, but to land, the things that currently fail the test need to be fixed. In opac-password-recovery.tt that's the fairly critical step where the user sets a new password. Luckily, getting there requires the uniqueKey that's sent in the recovery email, and if someone has access to that you've already lost the game, so it's not really a security issue, just something that needs to be fixed. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728 [Bug 37728] More "op" are missing in POSTed forms -- You are receiving this mail because: You are watching all bug changes.