[Bug 38463] New: Unnecessary CSRF token in OPAC authority search
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Bug ID: 38463 Summary: Unnecessary CSRF token in OPAC authority search Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: OPAC Assignee: phil@chetcolibrary.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org Depends on: 37069 Bug 37069 correctly changed OPAC authority searches from a POST to a GET, but forgot to remove the CSRF token that is only needed for a POST, so now it clutters up the URL by making the first 107 characters of the query string meaningless. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37069 [Bug 37069] Authorities pagination on OPAC broken by CSRF -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 --- Comment #1 from Phil Ringnalda <phil@chetcolibrary.org> --- Created attachment 174635 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174635&action=edit Bug 38463: Unnecessary CSRF token in OPAC authority search Bug 37069 correctly changed OPAC authority searches from a POST to a GET, but forgot to remove the CSRF token that is only needed for a POST, so now it clutters up the URL by making the first 107 characters of the query string meaningless. Test plan: 1. Without the patch, in the OPAC, go to Authority search 2. Change the dropdowns to non-default values so you have meaningful search conditions, and search for something that will return results, like Topical Term/starts with/a/in any heading/Heading descendant 3. Copy the URL of your search results, paste it in an email compose window, look at what you just pasted and wonder whether that big opaque string is actually safe to send to a coworker. Go to lunch. Come back and wonder what you searched for, and look at the URL in the browser to try to tell 4. Apply patch, click the browser back button, reload the page, search again 5. Copy and paste the URL, notice it looks fine to send, just a search. Look at the URL in the browser address bar, notice that within the limits of your window size, you can see what you searched for Sponsored-by: Chetco Community Public Library -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #174635|0 |1 is obsolete| | --- Comment #2 from David Nind <david@davidnind.com> --- Created attachment 174637 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174637&action=edit Bug 38463: Unnecessary CSRF token in OPAC authority search Bug 37069 correctly changed OPAC authority searches from a POST to a GET, but forgot to remove the CSRF token that is only needed for a POST, so now it clutters up the URL by making the first 107 characters of the query string meaningless. Test plan: 1. Without the patch, in the OPAC, go to Authority search 2. Change the dropdowns to non-default values so you have meaningful search conditions, and search for something that will return results, like Topical Term/starts with/a/in any heading/Heading descendant 3. Copy the URL of your search results, paste it in an email compose window, look at what you just pasted and wonder whether that big opaque string is actually safe to send to a coworker. Go to lunch. Come back and wonder what you searched for, and look at the URL in the browser to try to tell 4. Apply patch, click the browser back button, reload the page, search again 5. Copy and paste the URL, notice it looks fine to send, just a search. Look at the URL in the browser address bar, notice that within the limits of your window size, you can see what you searched for Sponsored-by: Chetco Community Public Library Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36192 Text to go in the| |This fixes the OPAC release notes| |authority search result URL | |so that it no longer | |includes the CSRF token, | |and makes the URL more | |readable. (This is related | |to the CSRF changes added | |in Koha 24.05 to improve | |form security.) CC| |david@davidnind.com Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Emily Lamancusa (emlam) <emily.lamancusa@montgomerycountymd.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emily.lamancusa@montgomeryc | |ountymd.gov QA Contact|testopia@bugs.koha-communit |emily.lamancusa@montgomeryc |y.org |ountymd.gov -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Emily Lamancusa (emlam) <emily.lamancusa@montgomerycountymd.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #174637|0 |1 is obsolete| | --- Comment #3 from Emily Lamancusa (emlam) <emily.lamancusa@montgomerycountymd.gov> --- Created attachment 174759 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174759&action=edit Bug 38463: Unnecessary CSRF token in OPAC authority search Bug 37069 correctly changed OPAC authority searches from a POST to a GET, but forgot to remove the CSRF token that is only needed for a POST, so now it clutters up the URL by making the first 107 characters of the query string meaningless. Test plan: 1. Without the patch, in the OPAC, go to Authority search 2. Change the dropdowns to non-default values so you have meaningful search conditions, and search for something that will return results, like Topical Term/starts with/a/in any heading/Heading descendant 3. Copy the URL of your search results, paste it in an email compose window, look at what you just pasted and wonder whether that big opaque string is actually safe to send to a coworker. Go to lunch. Come back and wonder what you searched for, and look at the URL in the browser to try to tell 4. Apply patch, click the browser back button, reload the page, search again 5. Copy and paste the URL, notice it looks fine to send, just a search. Look at the URL in the browser address bar, notice that within the limits of your window size, you can see what you searched for Sponsored-by: Chetco Community Public Library Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Emily Lamancusa (emlam) <emily.lamancusa@montgomerycountymd.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #4 from Emily Lamancusa (emlam) <emily.lamancusa@montgomerycountymd.gov> --- Good catch, thanks Phil! Passing QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 --- Comment #5 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable CC| |lucas@bywatersolutions.com Version(s)|24.11.00 |24.11.00,24.05.06 released in| | --- Comment #6 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting CC| |fridolin.somers@biblibre.co | |m --- Comment #7 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Needs documenting |RESOLVED --- Comment #8 from David Nind <david@davidnind.com> --- This is a bug fix and there are no interface changes, no updates to the manual required. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38463 Bug 38463 depends on bug 36192, which changed state. Bug 36192 Summary: [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org