[Bug 22253] New: Koha throws an exception when updating a borrower with an insecure password
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Bug ID: 22253 Summary: Koha throws an exception when updating a borrower with an insecure password Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com Target Milestone: --- To recreate: 1 - Set RequireStrongPassword to 'Don't require' 2 - Have or set a patron with a simple password like 'oops' 3 - Set RequireStrongPassword to 'Require' 4 - Attempt to edit another part of that patron's record (from the full edit page) 5 - Koha throws an exception -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 --- Comment #1 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 84594 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84594&action=edit Bug 22253: Check we actually need to update the password This patch makes memberentry.pl check if password needs to be updated before attempting to call set_password. Above this there's a check that won't raise any errors if no password is passed, or the default string (****) is received. So we could reach that line of code with no password, but the code wouldn't check that. To test: - In master, edit any patron without changing the password => FAIL: It raises an exception - Apply this patch - Edit the patron withtout changing the password => SUCCESS: Edit successful - Edit the patron, changing the password - Try to login with the new password => SUCCESS: The password got changed correctly - Sigh off :-D -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moravec@gmail.com, | |m.de.rooy@rijksmuseum.nl, | |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |19.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #84594|0 |1 is obsolete| | --- Comment #2 from Owen Leonard <oleonard@myacpl.org> --- Created attachment 84640 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84640&action=edit Bug 22253: Check we actually need to update the password This patch makes memberentry.pl check if password needs to be updated before attempting to call set_password. Above this there's a check that won't raise any errors if no password is passed, or the default string (****) is received. So we could reach that line of code with no password, but the code wouldn't check that. To test: - In master, edit any patron without changing the password => FAIL: It raises an exception - Apply this patch - Edit the patron withtout changing the password => SUCCESS: Edit successful - Edit the patron, changing the password - Try to login with the new password => SUCCESS: The password got changed correctly - Sigh off :-D Signed-off-by: Owen Leonard <oleonard@myacpl.org> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #84640|0 |1 is obsolete| | --- Comment #3 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 84657 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84657&action=edit Bug 22253: Check we actually need to update the password This patch makes memberentry.pl check if password needs to be updated before attempting to call set_password. Above this there's a check that won't raise any errors if no password is passed, or the default string (****) is received. So we could reach that line of code with no password, but the code wouldn't check that. To test: - In master, edit any patron without changing the password => FAIL: It raises an exception - Apply this patch - Edit the patron withtout changing the password => SUCCESS: Edit successful - Edit the patron, changing the password - Try to login with the new password => SUCCESS: The password got changed correctly - Sigh off :-D Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |josef.moravec@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #4 from Nick Clemens <nick@bywatersolutions.com> --- Awesome work all! Pushed to master for 19.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22253 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |RESOLVED Resolution|--- |FIXED --- Comment #5 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Bug not in 18.11.x series. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org