[Bug 31492] New: Patron image upload fails on first attempt with CSRF failure
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Bug ID: 31492 Summary: Patron image upload fails on first attempt with CSRF failure Change sponsored?: --- Product: Koha Version: 22.05 Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: matthew.lindfield-seager@hope.edu.kh QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com After upgrading to 22.05.004 (and after manually installing `libmojolicious-plugin-openapi-perl` to get patron search to work - as per https://www.mail-archive.com/koha@lists.katipo.co.nz/msg28885.html) we are now seeing an issue uploading patron images. After logging in to Koha, the first attempt to upload an individual patron image (from the patron show screen) fails with a CSRF error:
The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.
Second and subsequent attempts succeed up until we log out and log back in again. After that the first submission once again fails. I tailed the logs to see if I could see any errors using `tail -f /var/log/koha/library/*.log`. On one occasion I saw an error related to `picture_upload.pl` in `/var/log/koha/library/intranet-error.log` but I can't reproduce it. In case it's relevant the error I saw once was:
[Wed Aug 31 09:55:06.665314 2022] [cgi:error] [pid 288501] [client 136.228.129.94:64313] AH01215: Use of uninitialized value $cardnumber in concatenation (.) or string at /usr/share/koha/intranet/cgi-bin/tools/picture-upload.pl line 66.: /usr/share/koha/intranet/cgi-bin/tools/picture-upload.pl, referer: https://<library url>/cgi-bin/koha/circ/circulation.pl?borrowernumber=1790
The CSRF error in the client is reproducible in up-to-date versions of Chrome on Windows and Safari on macOS so it doesn't seem to be browser or OS specific. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|minor |normal Version|22.05 |master --- Comment #1 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I am seeing this issue on the master branch (current development) as well. Updating bug. To test: * Turn on patronimages system preferences * Go to any patron account * Hover over the 'dummy image' for the Add button * Browse and select an image for upload * Saving results in the following error: The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Jason Robb <jrobb@sekls.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jrobb@sekls.org --- Comment #2 from Jason Robb <jrobb@sekls.org> --- Not sure if this is the exact same issue but I'm on 22.05.07 and consistently getting the "Wrong CSRF Token" error any time I try to add a patron photo from any page of the account *other than* the Details (moremember.pl) tab. I've tested with both the snazzy new camera integration and by manually uploading a file, and in both cases, it only succeeds on moremember.pl. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Wes <wsmith@marshallcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wsmith@marshallcolibrary.or | |g --- Comment #3 from Wes <wsmith@marshallcolibrary.org> --- I'm experiencing the same issue as Jason Robb. Works fine on moremember.pl but csrf_token is empty in the html on any of the other patron tab/pages. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Michael Adamyk <madamyk@ckls.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |madamyk@ckls.org --- Comment #4 from Michael Adamyk <madamyk@ckls.org> --- Confirmed, I'm experiencing this issue after the 22.05 upgrade also. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |20809 CC| |nick@bywatersolutions.com --- Comment #5 from Nick Clemens <nick@bywatersolutions.com> --- I suspect the issue is from bug 20809, members-menu.js: + $(".edit-patronimage").on("click", function(e){ + e.preventDefault(); + var borrowernumber = $(this).data("borrowernumber"); + $.get("/cgi-bin/koha/members/moremember.pl", { borrowernumber : borrowernumber }, function( data ){ + var image_form = $(data).find("#picture-upload"); + image_form.show().find(".cancel").remove(); + $("#patronImageEdit .modal-body").html( image_form ); + }); + var modalTitle = $(this).attr("title"); + $("#patronImageEdit .modal-title").text(modalTitle); + $("#patronImageEdit").modal("show"); + }); It looks like we are fetching the form via JS, maybe is causing the CSRF mismatch? Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20809 [Bug 20809] Link patron image to patron image add/edit form -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 koha-US bug tracker <bugzilla@koha-us.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla@koha-us.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 --- Comment #6 from Lucas Gass <lucas@bywatersolutions.com> --- Created attachment 145303 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=145303&action=edit Bug 31492: Set CSRF token in circulation.pl To test: * Turn on patronimages system preferences * Go to any patron account * Hover over the 'dummy image' for the Add button * Browse and select an image for upload * Saving results in the following error: The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again. Apply patch and try again. You shouldn't need to try twice, it should work on the first attempt now. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com Assignee|koha-bugs@lists.koha-commun |lucas@bywatersolutions.com |ity.org | Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #145303|0 |1 is obsolete| | --- Comment #7 from David Nind <david@davidnind.com> --- Created attachment 145346 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=145346&action=edit Bug 31492: Set CSRF token in circulation.pl To test: * Turn on patronimages system preferences * Go to any patron account * Hover over the 'dummy image' for the Add button * Browse and select an image for upload * Saving results in the following error: The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again. Apply patch and try again. You shouldn't need to try twice, it should work on the first attempt now. Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #8 from David Nind <david@davidnind.com> --- Testing notes (using koha-testing-docker): 1. No error when using Firefox (on Kubuntu 22.04). After apply patch, continues to work as expected. 2. Error when using Chromium and Google Chrome. Applying the patch successfully fixes the issue. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #145346|0 |1 is obsolete| | --- Comment #9 from David Cook <dcook@prosentient.com.au> --- Created attachment 145347 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=145347&action=edit Bug 31492: Set CSRF token in circulation.pl To test: * Turn on patronimages system preferences * Go to any patron account * Hover over the 'dummy image' for the Add button * Browse and select an image for upload * Saving results in the following error: The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again. Apply patch and try again. You shouldn't need to try twice, it should work on the first attempt now. Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |23.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 --- Comment #10 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Nice work everyone! Pushed to 23.05.x for the next release -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Jacob O'Mara <jacob.omara@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable Version(s)|23.05.00 |23.05.00,22.11.02 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 --- Comment #11 from Jacob O'Mara <jacob.omara@ptfs-europe.com> --- Nice work, thanks everyone! Pushed to 22.11.x for the next release. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.05.00,22.11.02 |23.05.00,22.11.02,22.05.09 released in| | Status|Pushed to stable |Pushed to oldstable --- Comment #12 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 22.05.x for upcoming 22.05.09 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.05.00,22.11.02,22.05.09 |23.05.00,22.11.02,22.05.09, released in| |21.11.16 Status|Pushed to oldstable |Pushed to oldoldstable CC| |arthur.suzuki@biblibre.com --- Comment #13 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- applied to 21.11.x for 21.11.16 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31492 wainuiwitikapark@catalyst.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wainuiwitikapark@catalyst.n | |et.nz --- Comment #14 from wainuiwitikapark@catalyst.net.nz --- Not backported to 21.05.x -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org