[Bug 17830] New: CSRF token is not generated correctly (bis)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Bug ID: 17830 Summary: CSRF token is not generated correctly (bis) Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: ASSIGNED Severity: blocker Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: jonathan.druart@bugs.koha-community.org Reporter: jonathan.druart@bugs.koha-community.org QA Contact: testopia@bugs.koha-community.org The same error as bug 17720 can occur if the userid has unicode characters. Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=17720 Depends on| |17096 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 --- Comment #1 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 58502 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=58502&action=edit Bug 17830: CSRF - Handle unicode characters in userid If the userid of the logged in user contains unicode characters, the token will not be generated correctly and Koha will crash with: Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63. Test plan: - Edit a superlibrarian user and set his/her userid to '❤' or any other strings with unicode characters. - Login using this patron - Search for patrons and click on a result. => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine You can also test the other files modified by this patch. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Karam Qubsi <karamqubsi@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #58502|0 |1 is obsolete| | CC| |karamqubsi@gmail.com --- Comment #2 from Karam Qubsi <karamqubsi@gmail.com> --- Created attachment 58515 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=58515&action=edit [SIGNED-OFF]-Bug-17830-CSRF-Handle-unicode-characters in userid If the userid of the logged in user contains unicode characters, the token will not be generated correctly and Koha will crash with: Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63. Test plan: - Edit a superlibrarian user and set his/her userid to '❤' or any other strings with unicode characters. - Login using this patron - Search for patrons and click on a result. => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine You can also test the other files modified by this patch. Signed-off-by: Karam Qubsi <karamqubsi@gmail.com> Patch is solving the problem as described . -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Karam Qubsi <karamqubsi@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Why not move those encodes to sub _gen_csrf in Token.pm? Since the source of this problem actually is WWW::CSRF, we could have this workaround closer to the call. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 --- Comment #4 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Marcel de Rooy from comment #3)
Why not move those encodes to sub _gen_csrf in Token.pm? Since the source of this problem actually is WWW::CSRF, we could have this workaround closer to the call.
I wanted to provide a quick and safe fix. Moving the encode to Koha::Token would have implied to move the existing ones as well (i.e. more changes). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #58515|0 |1 is obsolete| | --- Comment #5 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 58535 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=58535&action=edit Bug 17830: CSRF - Handle unicode characters in userid If the userid of the logged in user contains unicode characters, the token will not be generated correctly and Koha will crash with: Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63. Test plan: - Edit a superlibrarian user and set his/her userid to '❤' or any other strings with unicode characters. - Login using this patron - Search for patrons and click on a result. => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine You can also test the other files modified by this patch. Signed-off-by: Karam Qubsi <karamqubsi@gmail.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master CC| |kyle@bywatersolutions.com --- Comment #6 from Kyle M Hall <kyle@bywatersolutions.com> --- Pushed to master for 17.05, thanks Jonathan! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable CC| |katrin.fischer@bsz-bw.de --- Comment #7 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- This patch has been pushed to 16.11.x and will be in 16.11.02. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Mason James <mtj@kohaaloha.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtj@kohaaloha.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 --- Comment #8 from Mason James <mtj@kohaaloha.com> --- patchset applied via BZ-18124 for 16.05.x, for 16.05.12 release -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Mason James <mtj@kohaaloha.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=18124 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17830 Bug 17830 depends on bug 17096, which changed state. Bug 17096 Summary: [OMNIBUS] CSRF protections https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17096 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org