[Bug 37040] New: ErrorDocument accidentally setting off CSRF
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Bug ID: 37040 Summary: ErrorDocument accidentally setting off CSRF Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org As Michal Kula noted on Mattermost, trying to log into http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=990... in main will yield a bizarre HTTP response that includes headers for a 403 response and a 200 response... This is due to a bug in addbiblio.pl, but it's also causing the CSRF to fire for the ErrorDocument, so we need to fix that. I have an idea for it... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37041 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Created attachment 167521 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167521&action=edit Bug 37040: Prevent ErrorDocument subrequests from activating CSRF This change improves the mechanism for preventing the CSRF middleware being activated by ErrorDocument subrequests. This change was necessary due to a subtle issue identified by Bug 37041. Test plan: 0. Apply the patch 1. Restart Koha koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=990... 3. Log in 4. Note that you get a pretty 403 and not an ugly plain text error 5. Go to http://localhost:8081 6. Fill in the login details, but use the HTML inspector to delete the csrf_token from the hidden inputs 7. Submit the login 8. Note a pretty 403 page -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |34478 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34478 [Bug 34478] Full CSRF protection -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167521|0 |1 is obsolete| | --- Comment #2 from David Nind <david@davidnind.com> --- Created attachment 167560 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167560&action=edit Bug 37040: Prevent ErrorDocument subrequests from activating CSRF This change improves the mechanism for preventing the CSRF middleware being activated by ErrorDocument subrequests. This change was necessary due to a subtle issue identified by Bug 37041. Test plan: 0. Apply the patch 1. Restart Koha koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=990... 3. Log in 4. Note that you get a pretty 403 and not an ugly plain text error 5. Go to http://localhost:8081 6. Fill in the login details, but use the HTML inspector to delete the csrf_token from the hidden inputs 7. Submit the login 8. Note a pretty 403 page Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #167560|0 |1 is obsolete| | --- Comment #3 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Created attachment 167571 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167571&action=edit Bug 37040: Prevent ErrorDocument subrequests from activating CSRF This change improves the mechanism for preventing the CSRF middleware being activated by ErrorDocument subrequests. This change was necessary due to a subtle issue identified by Bug 37041. Test plan: 0. Apply the patch 1. Restart Koha koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=990... 3. Log in 4. Note that you get a pretty 403 and not an ugly plain text error 5. Go to http://localhost:8081 6. Fill in the login details, but use the HTML inspector to delete the csrf_token from the hidden inputs 7. Submit the login 8. Note a pretty 403 page Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #4 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Created attachment 167572 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167572&action=edit Bug 37040: (QA follow-up) Tidy file QA tests were failing for tidyness so this patch addresses that Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |matt.blenkinsop@ptfs-europe |y.org |.com CC| |matt.blenkinsop@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #5 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Thanks for all the hard work! Pushed to main for the next 24.11.00 release as RM Assistant -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |additional_work_needed CC| |martin.renvoize@ptfs-europe | |.com --- Comment #6 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- I think this one causes the current failure in Jenkins regards cypress tests: https://jenkins.koha-community.org/job/Koha_Main/lastCompletedBuild/testRepo... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Martin Renvoize from comment #6)
I think this one causes the current failure in Jenkins regards cypress tests: https://jenkins.koha-community.org/job/Koha_Main/lastCompletedBuild/ testReport/
Ah nuts. We should've grepped for "plack.middleware.Koha.CSRF" in the code. I can see it in ./errors/403.pl and ./opac/errors/403.pl Should be an easy fix... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #8 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 167620 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=167620&action=edit Bug 37040: (RMaint follow-up) Restore passing CSRF error This patch restores the plack.middleware.Koha.CSRF plack env setting to allow passing to the errorDocument. Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|additional_work_needed | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- Thanks, Martin. I meant to do that yesterday, but ran out of time. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com --- Comment #10 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- *** Bug 37064 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.02 released in| | CC| |lucas@bywatersolutions.com Status|Pushed to main |Pushed to stable --- Comment #11 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.02 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 --- Comment #12 from Lucas Gass <lucas@bywatersolutions.com> --- Needs rebased for 24.05.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Needs documenting CC| |fridolin.somers@biblibre.co | |m --- Comment #13 from Fridolin Somers <fridolin.somers@biblibre.com> --- Bug 34478 not in 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com Text to go in the| |This improves the mechanism release notes| |for preventing the | |activation of CSRF | |middleware by ErrorDocument | |subrequests. For example, a | |properly formatted 403 | |error page is now displayed | |instead of a plain text | |error. (This is related to | |the CSRF changes added in | |Koha 24.05 to improve form | |security.) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36192 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|martin.renvoize@ptfs-europe | |.com | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED CC| |caroline.cyr-la-rose@inlibr | |o.com Resolution|--- |FIXED --- Comment #14 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- This looks like a bug fix, nothing to change/edit in the manual. Please reopen with more details if needed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37040 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@openfifth.c | |o.uk Blocks|36192 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org