[Bug 9401] New: Javascript used for tags handling wants access to CGISESSID cookie
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 Bug ID: 9401 Summary: Javascript used for tags handling wants access to CGISESSID cookie Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: gmcharlt@gmail.com Reporter: gmcharlt@gmail.com Some Javascript used for processing bib record tags in the OPAC and staff interface wants to read the value of the CGISESSID cookie. If it actually needed to, that would be a blocker to making the session cookie be httpOnly (see bug 9102). Fortunately, as it doesn't actually need to know the session key, it suffices to remove the offending code. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |9102 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 --- Comment #1 from Galen Charlton <gmcharlt@gmail.com> --- Created attachment 14617 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=14617&action=edit bug 9401: remove direct reads of CGISESSID cookie by JavaScript Having embedded JavaScript read the session cookie directly is unnecessary and prevents the CGISESSID cookie being marked httpOnly as a security measure. The only Koha JS attempting this was the AJAX tags code. To test: - In general, verify that there are no regression withs adding tags in the OPAC or reviewing them in the staff interface. - In specific, for the OPAC - log into the OPAC - retrieve a bib record - add a tag - refresh the bib details page to verify that the tag was added - make sure the TagsInputOnList syspref is on - perform a search - add a tag to more than one record from the search results page - repeat the preceding using the CCSR theme - And in the staff interface - Go to the review tags tool - Reject a tag - Refresh to verify that the tag was rejected Signed-off-by: Galen Charlton <gmc@esilibrary.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #14617|0 |1 is obsolete| | --- Comment #2 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 14998 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=14998&action=edit bug 9401: remove direct reads of CGISESSID cookie by JavaScript Having embedded JavaScript read the session cookie directly is unnecessary and prevents the CGISESSID cookie being marked httpOnly as a security measure. The only Koha JS attempting this was the AJAX tags code. To test: - In general, verify that there are no regression withs adding tags in the OPAC or reviewing them in the staff interface. - In specific, for the OPAC - log into the OPAC - retrieve a bib record - add a tag - refresh the bib details page to verify that the tag was added - make sure the TagsInputOnList syspref is on - perform a search - add a tag to more than one record from the search results page - repeat the preceding using the CCSR theme - And in the staff interface - Go to the review tags tool - Reject a tag - Refresh to verify that the tag was rejected Signed-off-by: Galen Charlton <gmc@esilibrary.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl Patch complexity|--- |Small patch QA Contact| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 M. de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #3 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- QA Comment: Welcome addition to the cookies HTTPOnly patch! Tested adding tags, accepting and rejecting (toggling TagsModeration as well). Works fine still. Note that the session parameter from the javascript already was a plan-B-measure in the perl code, but it should not be. This patch nicely removes that. Code looks good to me. Just one remark (had to find something :) Line 279 (and below) still mentions CGISESSID as ajax post parameter in comments.. (opac-tags.pl) Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #4 from Jared Camins-Esakov <jcamins@cpbibliography.com> --- This patch has been pushed to Master. Tagging worked for me both before and after applying this patch on top of the patch for bug 9102. I am not entirely sure why. However, since it worked after, I am pushing the patch anyway since it removes unnecessary cruft. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9401 --- Comment #5 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to comment #4)
This patch has been pushed to Master. Tagging worked for me both before and after applying this patch on top of the patch for bug 9102. I am not entirely sure why. However, since it worked after, I am pushing the patch anyway since it removes unnecessary cruft.
Hi Jared Tagging worked since the session id from javascript was only plan-B in the script. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org