[Bug 36194] New: CSRF - svc
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Bug ID: 36194 Summary: CSRF - svc Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: critical Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org This bug is for tracking follow-ups missed in the initial review. Please see the "svc" section on the framapad here: https://annuel.framapad.org/p/koha_34478_remaining Additional entries can be added there, and should be crossed out when completed Patches should be attached here This bug can be closed when that section of the pad is empty see bug 36084 commits for new method using fetch/api-client.js is retrieved (and adjusted) from the Vue work wiki/coding guideline to follow -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36192 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 --- Comment #1 from Nick Clemens <nick@bywatersolutions.com> --- https://wiki.koha-community.org/wiki/Coding_Guidelines#JS13:_Fetching_resour... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com --- Comment #2 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- (In reply to Nick Clemens from comment #1)
https://wiki.koha-community.org/wiki/Coding_Guidelines#JS13: _Fetching_resources
Note that we do not necessarily need to use this method to fix the remaining svc occurrences. We can simply reject non-POST requests, or add a cud op when missing. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36094 --- Comment #3 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Note that svc/authentication has its own bug 36094. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 [Bug 36094] svc/authentication needs adjustements -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #4 from David Cook <dcook@prosentient.com.au> --- Is it intentional placing these follow-up bugs in "Koha" rather than "Koha Security"? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36084 Summary|CSRF - svc |CSRF - svc (2/2) Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36084 [Bug 36084] Pass CSRF token to SVC scripts (1/2) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Bug 36194 depends on bug 36084, which changed state. Bug 36084 Summary: Pass CSRF token to SVC scripts (1/2) https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36084 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Architecture, internals, |Koha |and plumbing | CC| |didier.gautheron@biblibre.c | |om, | |fridolin.somers@biblibre.co | |m, | |katrin.fischer@bsz-bw.de, | |laurent.ducos@biblibre.com, | |lisette@bywatersolutions.co | |m, | |lucas@bywatersolutions.com, | |m.de.rooy@rijksmuseum.nl, | |martin.renvoize@ptfs-europe | |.com, | |nick@bywatersolutions.com, | |philippe.blouin@inlibro.com | |, tomascohen@gmail.com Group| |Koha security Version|Main |unspecified Product|Koha |Koha security -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 --- Comment #5 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Is anyone still working on these? And can we move them from pad to bugzilla bugs? I think at this state this could help and give us a better overview. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36194 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to Katrin Fischer from comment #5)
Is anyone still working on these? And can we move them from pad to bugzilla bugs? I think at this state this could help and give us a better overview.
Not working on it currently. I don't have anything external using the SVC API atm, so I haven't stumbled into anything urgent/broken in production. The SVC API certainly has its challenges... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org