[Bug 37741] New: Koha errors on page (e.g. 404) cause incorrect CSRF errors
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Bug ID: 37741 Summary: Koha errors on page (e.g. 404) cause incorrect CSRF errors Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: critical Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org To reproduce: 1. Set syspref IntranetFavicon to http://localhost:8081/cgi-bin/koha/bad.jpg 2. Open browser developer tools 3. Go to http://localhost:8081/cgi-bin/koha/mainpage.pl 4. Open the Network tab, disable the cache, and shift refresh 5. Notice that bad.jpg fails to load with a 404 6. Try to login to Koha 7. Confirm 403 error 8. If you look at the cookies sent/received by mainpage.pl on the first load, the bad.jpg load, and the second mainpage.pl load, you'll see that first mainpage.pl returns a cookie, which is used by bad.jpg, which returns a new cookie, which is used by the second mainpage.pl However, the CSRF token submitted with the second mainpage.pl is tied to the cookie from the first mainpage.pl load! It'll never work! The solution is to stop 404.pl from returning a 404.pl cookie. After all, 404.pl shouldn't be creating/updating a cookie. It's just supposed to return a pretty 404 document. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=35402 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I actually first noticed this problem after bug 35402 was pushed. It was crazymaking, but I noticed a 404 in the plack.log, and then I turned on the Apache access log, and realized it was a 404 for http://localhost:8081/intranet-tmpl/lib/bootstrap/bootstrap.bundle.min.js.ma.... It wasn't showing up in the Network tab, but if you go into "Sources" and look at the /intranet-tmpl/lib/bootstrap/bootstrap.bundle.min.js, you'll see at the bottom of the screen a message "Source map failed to load" and it mentions the 404 for the map file. Note: the browser only tries to load the map file when you have your dev tools open. So login won't work if you have your dev tools open, but it will if they're closed. Fun! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- This problem really was first noticed by Nick on bug 37056, although the solution there was to fix the SVC API, which makes sense for that particular bug. But it's the same idea under the hood. The problem is that the CGISESSID cookie gets overridden by a background call which messes up the foreground. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37056 Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Created attachment 170743 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170743&action=edit Bug 37741: Do not send cookie back from error pages This change stops the cookie from being sent back from error pages, so that backcalls that cause errors don't overwrite the existing cookie used by the foreground request page. Test plan: 0. Apply the patch and koha-plack --reload kohadev 1. Set syspref IntranetFavicon to http://localhost:8081/cgi-bin/koha/bad.jpg 2. Open browser developer tools 3. Go to http://localhost:8081/cgi-bin/koha/mainpage.pl 4. Open the Network tab, disable the cache, and shift refresh 5. Notice that bad.jpg fails to load with a 404 6. Try to login to Koha 7. Confirm login works *. Extra points if you note that the cookie returned by the first mainpage.pl request is used for the bad.jpg lookup and the second mainpage.pl request. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36192 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #170743|0 |1 is obsolete| | --- Comment #4 from David Nind <david@davidnind.com> --- Created attachment 170794 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170794&action=edit Bug 37741: Do not send cookie back from error pages This change stops the cookie from being sent back from error pages, so that backcalls that cause errors don't overwrite the existing cookie used by the foreground request page. Test plan: 0. Apply the patch and koha-plack --reload kohadev 1. Set syspref IntranetFavicon to http://localhost:8081/cgi-bin/koha/bad.jpg 2. Open browser developer tools 3. Go to http://localhost:8081/cgi-bin/koha/mainpage.pl 4. Open the Network tab, disable the cache, and shift refresh 5. Notice that bad.jpg fails to load with a 404 6. Try to login to Koha 7. Confirm login works *. Extra points if you note that the cookie returned by the first mainpage.pl request is used for the bad.jpg lookup and the second mainpage.pl request. Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This fixes the cause of release notes| |incorrect CSRF errors on | |error pages, such as 404s | |and 404s. This stops | |cookies from being sent | |back from error pages, so | |that actions that cause | |errors don't overwrite the | |existing cookie. CC| |david@davidnind.com --- Comment #5 from David Nind <david@davidnind.com> --- I didn't go for the extra points! 8-) Tested in Firefox and Google Chrome on Ubuntu 22.04 (weird things were happening with Chromium...). I attempted a release note - I hope I have captured the essential parts so that it makes sense to library staff. It may be useful to add an example. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the|This fixes the cause of |This fixes the cause of release notes|incorrect CSRF errors on |incorrect CSRF errors on |error pages, such as 404s |error pages, such as 403s |and 404s. This stops |and 404s. This stops |cookies from being sent |cookies from being sent |back from error pages, so |back from error pages, so |that actions that cause |that actions that cause |errors don't overwrite the |errors don't overwrite the |existing cookie. |existing cookie. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the|This fixes the cause of |This change prevents an release notes|incorrect CSRF errors on |error in a background call |error pages, such as 403s |(e.g. a missing |and 404s. This stops |favicon.ico) from affecting |cookies from being sent |the user's session, which |back from error pages, so |can lead to incorrect CSRF |that actions that cause |403 errors during form |errors don't overwrite the |POSTs. (The issue is |existing cookie. |prevented by stopping error | |pages from returning the | |CGISESSID cookie, which | |overwrites the CGISESSID | |cookie returned by the | |foreground page.) --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Thanks, David. I'll revise the release note. Thanks for adding it! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #170794|0 |1 is obsolete| | --- Comment #7 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 170897 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170897&action=edit Bug 37741: Do not send cookie back from error pages This change stops the cookie from being sent back from error pages, so that backcalls that cause errors don't overwrite the existing cookie used by the foreground request page. Test plan: 0. Apply the patch and koha-plack --reload kohadev 1. Set syspref IntranetFavicon to http://localhost:8081/cgi-bin/koha/bad.jpg 2. Open browser developer tools 3. Go to http://localhost:8081/cgi-bin/koha/mainpage.pl 4. Open the Network tab, disable the cache, and shift refresh 5. Notice that bad.jpg fails to load with a 404 6. Try to login to Koha 7. Confirm login works *. Extra points if you note that the cookie returned by the first mainpage.pl request is used for the bad.jpg lookup and the second mainpage.pl request. Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |chris@bigballofwax.co.nz |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 --- Comment #8 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.06 released in| | CC| |lucas@bywatersolutions.com Status|Pushed to main |Pushed to stable --- Comment #9 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Needs documenting CC| |fridolin.somers@biblibre.co | |m --- Comment #10 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED --- Comment #11 from David Nind <david@davidnind.com> --- This fixes an error, and no changes are required to the manual. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 Bug 37741 depends on bug 36192, which changed state. Bug 36192 Summary: [OMNIBUS] CSRF Protection for Koha https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37741 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=43037 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org