[Bug 17720] New: CSRF token is not generated correctly
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Bug ID: 17720 Summary: CSRF token is not generated correctly Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: ASSIGNED Severity: blocker Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: jonathan.druart@bugs.koha-community.org Reporter: jonathan.druart@bugs.koha-community.org QA Contact: testopia@bugs.koha-community.org The CSRF token is not generated correctly if the DB password contain unicode characters. Indeed md5_base64 explodes with Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |17096 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 --- Comment #1 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 57949 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=57949&action=edit Bug 17720: CSRF - Handle unicode characters
From the pod of Digest::MD5: """ Since the MD5 algorithm is only defined for strings of bytes, it can not be used on strings that contains chars with ordinal number above 255 (Unicode strings). The MD5 functions and methods will croak if you try to feed them such input data. What you can do is calculate the MD5 checksum of the UTF-8 representation of such strings. """
Test plan: - Set a MySQL/MariaDB password with unicode characters: UPDATE user SET password=PASSWORD('❤') WHERE USER='koha_kohadev'; FLUSH PRIVILEGES - Update your $KOHA_CONF file - Restart Memcached - Hit the files modified by this patch => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #57949|0 |1 is obsolete| | --- Comment #2 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 57957 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=57957&action=edit [SIGNED-OFF] Bug 17720: CSRF - Handle unicode characters
From the pod of Digest::MD5: """ Since the MD5 algorithm is only defined for strings of bytes, it can not be used on strings that contains chars with ordinal number above 255 (Unicode strings). The MD5 functions and methods will croak if you try to feed them such input data. What you can do is calculate the MD5 checksum of the UTF-8 representation of such strings. """
Test plan: - Set a MySQL/MariaDB password with unicode characters: UPDATE user SET password=PASSWORD('❤') WHERE USER='koha_kohadev'; FLUSH PRIVILEGES - Update your $KOHA_CONF file - Restart Memcached - Hit the files modified by this patch => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #57957|0 |1 is obsolete| | --- Comment #3 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 57967 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=57967&action=edit Bug 17720: CSRF - Handle unicode characters
From the pod of Digest::MD5: """ Since the MD5 algorithm is only defined for strings of bytes, it can not be used on strings that contains chars with ordinal number above 255 (Unicode strings). The MD5 functions and methods will croak if you try to feed them such input data. What you can do is calculate the MD5 checksum of the UTF-8 representation of such strings. """
Test plan: - Set a MySQL/MariaDB password with unicode characters: UPDATE user SET password=PASSWORD('❤') WHERE USER='koha_kohadev'; FLUSH PRIVILEGES - Update your $KOHA_CONF file - Restart Memcached - Hit the files modified by this patch => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Edit: removed debugging leftover -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |master CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com Status|Passed QA |Pushed to Master --- Comment #4 from Kyle M Hall <kyle@bywatersolutions.com> --- Pushed to master for 17.05, thanks Jonathan! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Status|Pushed to Master |Pushed to Stable --- Comment #5 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- This patch has been pushed to 16.11.x, will be in 16.11.01. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=17830 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Mason James <mtj@kohaaloha.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtj@kohaaloha.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17720 Bug 17720 depends on bug 17096, which changed state. Bug 17096 Summary: [OMNIBUS] CSRF protections https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17096 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org