[Bug 37899] New: Koha ILSDI endpoints expect a CSRF token - so ILSDI requests fail
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 Bug ID: 37899 Summary: Koha ILSDI endpoints expect a CSRF token - so ILSDI requests fail Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: alexbuckley@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org In Koha 24.05 CSRF.pm ( https://git.koha-community.org/Koha-community/Koha/src/branch/main/Koha/Midd... ) expects all stateful methods (POST, PUT, DELETE, PATCH requests) to include a CSRF token. This includes requests to ILSDI ( https://wiki.koha-community.org/wiki/ILS-DI ). This requirement for a CSRF token for ILSDI, which is designed to be used cross site, means ILSDI requests do not work on 24.05 onwards. Several third-party systems need to connect to Koha via ILSDI, for example EDS in order to fetch RTAC (Real-Time Availability Check) data. EDS can also fetch RTAC data from Koha via Z39.50. Another is Bolinda (BorrowBox), an eBook platform, which authenticates Koha users via ILSDI. It would be nice to hear the communities views on what could/should be done to get ILSDI working again. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |In Discussion -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com --- Comment #1 from Jonathan Druart <jonathan.druart@gmail.com> --- I am not very familiar with this code, but it seems that we have not touch ILSDI when requiring a CSRF token (which means it is still vulnerable). So the "routes" are still accessible via GET and will work (even for stateful requests). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 --- Comment #2 from Jonathan Druart <jonathan.druart@gmail.com> --- This crazy stuff gives access to a lot of data without any authentication (I always forget that). -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 --- Comment #3 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Is this maybe a duplicate to Bug 36560 - ILS-DI API doesn't have mechanism to provide CSRF tokens for POSTs ? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=36560 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #4 from Fridolin Somers <fridolin.somers@biblibre.com> --- Arf this is a problem for Bokeh portal -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |RESOLVED Resolution|--- |DUPLICATE CC| |dcook@prosentient.com.au --- Comment #5 from David Cook <dcook@prosentient.com.au> --- *** This bug has been marked as a duplicate of bug 36560 *** -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org