[Bug 37553] New: Fix CSRF handling in koha-svc.pl script
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Bug ID: 37553 Summary: Fix CSRF handling in koha-svc.pl script Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Command-line Utilities Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org CC: robin@catalyst.net.nz ./misc/migration_tools/koha-svc.pl is broken again, as I think we fixed some other CSRF internals after we fixed koha-svc.pl last. Anyway, it should be an easy fix! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Created attachment 169968 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169968&action=edit Bug 37553: Use CSRF token for authenicated session for POSTing This change fixes the Koha::SVC to store the CSRF token for the authenticated session for further POSTing. Test plan: 0. Apply the patch 1. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml 2. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml 3. Note that the following appears in STDOUT and there is no 403 error: "update 29 from bib-29.xml" -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Created attachment 169974 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169974&action=edit Bug 37553: Consistently send Csrf-Token in request header This change consistently sends the Csrf-Token in the request header. Previously, one POST sent it in the request body, while the other POST sent it in the request header. Since we're using an API, it's best for us to always send it in the request header Test plan: 0. Apply the patch 1. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml 2. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml 3. Note that the following appears in STDOUT and there is no 403 error: "update 29 from bib-29.xml" -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Created attachment 169976 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169976&action=edit Bug 37553: Tidy to make QA tools happy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36192 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169968|0 |1 is obsolete| | --- Comment #4 from David Nind <david@davidnind.com> --- Created attachment 169977 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169977&action=edit Bug 37553: Use CSRF token for authenicated session for POSTing This change fixes the Koha::SVC to store the CSRF token for the authenticated session for further POSTing. Test plan: 0. Apply the patch 1. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml 2. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml 3. Note that the following appears in STDOUT and there is no 403 error: "update 29 from bib-29.xml" Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169974|0 |1 is obsolete| | --- Comment #5 from David Nind <david@davidnind.com> --- Created attachment 169978 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169978&action=edit Bug 37553: Consistently send Csrf-Token in request header This change consistently sends the Csrf-Token in the request header. Previously, one POST sent it in the request body, while the other POST sent it in the request header. Since we're using an API, it's best for us to always send it in the request header Test plan: 0. Apply the patch 1. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml 2. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml 3. Note that the following appears in STDOUT and there is no 403 error: "update 29 from bib-29.xml" Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169976|0 |1 is obsolete| | --- Comment #6 from David Nind <david@davidnind.com> --- Created attachment 169979 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169979&action=edit Bug 37553: Tidy to make QA tools happy Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169977|0 |1 is obsolete| | --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 169980 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169980&action=edit Bug 37553: Use CSRF token for authenicated session for POSTing This change fixes the Koha::SVC to store the CSRF token for the authenticated session for further POSTing. Test plan: 0. Apply the patch 1. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml 2. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml 3. Note that the following appears in STDOUT and there is no 403 error: "update 29 from bib-29.xml" Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169978|0 |1 is obsolete| | --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 169981 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169981&action=edit Bug 37553: Consistently send Csrf-Token in request header This change consistently sends the Csrf-Token in the request header. Previously, one POST sent it in the request body, while the other POST sent it in the request header. Since we're using an API, it's best for us to always send it in the request header Test plan: 0. Apply the patch 1. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 > bib-29.xml 2. perl ./misc/migration_tools/koha-svc.pl \ http://localhost:8081/cgi-bin/koha/svc koha koha 29 bib-29.xml 3. Note that the following appears in STDOUT and there is no 403 error: "update 29 from bib-29.xml" Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #169979|0 |1 is obsolete| | --- Comment #9 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 169982 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169982&action=edit Bug 37553: Tidy to make QA tools happy Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |24.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00, 24.05.04 released in| | Status|Pushed to main |Pushed to stable CC| |lucas@bywatersolutions.com --- Comment #11 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m Status|Pushed to stable |Needs documenting --- Comment #12 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37553 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED CC| |caroline.cyr-la-rose@inlibr | |o.com Resolution|--- |FIXED --- Comment #13 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- Bug fix, nothing to add/edit in the manual. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org