https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40943 --- Comment #27 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Tomás Cohen Arazi (tcohen) from comment #26)
(In reply to Jonathan Druart from comment #25)
We were logging the full userenv for background jobs, I've deleted specifically 'session_id' from the userenv structure before we enqueue the job.
QA review welcome!
Are you removing it because someone with background jobs rights could pick the session id and impersonate others through some cookie mangling?
Yes, exactly.
If that's the case, the follow-up looks correct to me. Adding a test on `$job_context->{session_id}` not existing in the data structure might be worth. I guess it can be inferid from the context (the 'delete' line above).
It's the reason I have added the comment "# session_id must not be logged!" to make it explicit it should not be present. -- You are receiving this mail because: You are watching all bug changes.