[Bug 38030] New: stocknumberAV.pl fails with CSRF protection
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Bug ID: 38030 Summary: stocknumberAV.pl fails with CSRF protection Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Cataloging Assignee: januszop@gmail.com Reporter: januszop@gmail.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl Depends on: 36192 The value builder stocknumberAV.pl does not work after applying the CSRF protection. In console, it generates entries like: POST http://localhost:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Janusz Kaczmarek <januszop@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #1 from Janusz Kaczmarek <januszop@gmail.com> --- Created attachment 172216 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=172216&action=edit Bug 38030: stocknumberAV.pl fails with CSRF protection The value builder stocknumberAV.pl does not work after applying the CSRF protection. In console, it generates entries like: POST http://localhost:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] Test plan: ========== 1. Modify the MARC bibliographic framework for the default framework by choosing stocknumberAV.pl as plugin for subfield 952 $i. 2. In Authorized values, add a new category 'INVENTORY'. Add a new entry there, e.g. 'ABC', with any number in Description (eg. 123). 3. Find any bibliographic record, make sure it uses the default framework. If not set the framework accordingly. 4. Edit an item linked to this record. Go to the 'i - Inventory number' subfield. You should see three dots on the right. In the input field put ABC and click the three dots. 5. Nothing happens. You can check in the browser console--there should be a message like: POST http://FQDN:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] 6. Apply the patch; restart_all. Refresh the browser window. 7. Repeat p. 4. You should now get the next sequence number next to the 'ABC' (i.e. ABC 0000000124 or similar). Sponsored-by: Ignatianum University in Cracow -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Janusz Kaczmarek <januszop@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Trivial patch CC| |pmis@mnw.art.pl Change sponsored?|--- |Sponsored -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Roman Dolny <roman.dolny@jezuici.pl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Roman Dolny <roman.dolny@jezuici.pl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #172216|0 |1 is obsolete| | --- Comment #2 from Roman Dolny <roman.dolny@jezuici.pl> --- Created attachment 172238 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=172238&action=edit Bug 38030: stocknumberAV.pl fails with CSRF protection The value builder stocknumberAV.pl does not work after applying the CSRF protection. In console, it generates entries like: POST http://localhost:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] Test plan: ========== 1. Modify the MARC bibliographic framework for the default framework by choosing stocknumberAV.pl as plugin for subfield 952 $i. 2. In Authorized values, add a new category 'INVENTORY'. Add a new entry there, e.g. 'ABC', with any number in Description (eg. 123). 3. Find any bibliographic record, make sure it uses the default framework. If not set the framework accordingly. 4. Edit an item linked to this record. Go to the 'i - Inventory number' subfield. You should see three dots on the right. In the input field put ABC and click the three dots. 5. Nothing happens. You can check in the browser console--there should be a message like: POST http://FQDN:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] 6. Apply the patch; restart_all. Refresh the browser window. 7. Repeat p. 4. You should now get the next sequence number next to the 'ABC' (i.e. ABC 0000000124 or similar). Sponsored-by: Ignatianum University in Cracow Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- The csrf_token needs to go in the body of the POST and not in the URL. If it can't go in the body, then it can go in as a HTTP header. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=38065 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to David Cook from comment #3)
The csrf_token needs to go in the body of the POST and not in the URL.
If it can't go in the body, then it can go in as a HTTP header.
Why are we POSTing here ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #5 from Janusz Kaczmarek <januszop@gmail.com> --- This particular plugin is changing the content of the database (updating a row in the authorised_values table), if I remember right, so it's OK to POST, IMO. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #172238|0 |1 is obsolete| | --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Created attachment 173086 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173086&action=edit Bug 38030: stocknumberAV.pl fails with CSRF protection The value builder stocknumberAV.pl does not work after applying the CSRF protection. In console, it generates entries like: POST http://localhost:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] Test plan: ========== 1. Modify the MARC bibliographic framework for the default framework by choosing stocknumberAV.pl as plugin for subfield 952 $i. 2. In Authorized values, add a new category 'INVENTORY'. Add a new entry there, e.g. 'ABC', with any number in Description (eg. 123). 3. Find any bibliographic record, make sure it uses the default framework. If not set the framework accordingly. 4. Edit an item linked to this record. Go to the 'i - Inventory number' subfield. You should see three dots on the right. In the input field put ABC and click the three dots. 5. Nothing happens. You can check in the browser console--there should be a message like: POST http://FQDN:8081/cgi-bin/koha/cataloguing/plugin_launcher.pl [HTTP/1.1 403 Forbidden 188ms] 6. Apply the patch; restart_all. Refresh the browser window. 7. Repeat p. 4. You should now get the next sequence number next to the 'ABC' (i.e. ABC 0000000124 or similar). Sponsored-by: Ignatianum University in Cracow Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl> Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Created attachment 173087 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173087&action=edit Bug 38030: (QA follow-up) Move csrf_token to POST body from URL Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |dcook@prosentient.com.au |y.org | Depends on|36192 | Blocks| |36192 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192 [Bug 36192] [OMNIBUS] CSRF Protection for Koha -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- (In reply to Janusz Kaczmarek from comment #5)
This particular plugin is changing the content of the database (updating a row in the authorised_values table), if I remember right, so it's OK to POST, IMO.
That's true -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|minor |normal -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #9 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #10 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- I don't see the follow up commit in main. Am I missing something? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #11 from Janusz Kaczmarek <januszop@gmail.com> --- (In reply to Lucas Gass (lukeg) from comment #10)
I don't see the follow up commit in main. Am I missing something?
Indeed. Me neither. @Katrin, would you be able to double check it? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 --- Comment #12 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Picked the follow-up for main. Thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.06 released in| | Status|Pushed to main |Pushed to stable --- Comment #13 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting CC| |fridolin.somers@biblibre.co | |m --- Comment #14 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38030 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |caroline.cyr-la-rose@inlibr | |o.com Status|Needs documenting |RESOLVED --- Comment #15 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- Big fix, nothing to add/edit in the manual. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org