[Bug 41662] CSRF-vulnerability in opac-patron-consent.pl.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41662 --- Comment #16 from David Cook <dcook@prosentient.com.au> --- (In reply to Andreas Jonsson from comment #15)
Sorry for not paying attention to this issue, but only look att the op parameter as this requires that this validation is made in checkauth:
# FIXME This is only needed for scripts not using plack my $op = $query->param('op'); if ( defined $op && $op =~ m{^cud-} ) { die "Cannot use GET for this request" if $request_method eq 'GET'; }
Since this script would be served by Plack, the Plack middleware would've already caught it. This is irrelevant.
The comment suggest that this check may be removed at some point. Wouldn't it be safer to validate the method directly?
- if ( $op && $op eq 'cud-save' ) {
+ if ( uc $query->request_method eq 'POST' ) {
Yes, but that's not the pattern that the rest of Koha uses. It's better to be consistent than "correct". Koha::Middleware::Plack catches the GET op=cud-save issue. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org