[Koha-bugs] [Bug 7550] Self checkout: limit display of patron image to logged-in patron
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Apr 18 14:18:27 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550
Marc Véron <veron at veron.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #62271|0 |1
is obsolete| |
--- Comment #5 from Marc Véron <veron at veron.ch> ---
Created attachment 62272
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62272&action=edit
Bug 7550 - Self checkout: limit display of patron image to logged-in patron
The patron image display in the self-checkout takes a GET parameter from the
image source, so if someone copied the image location and substituted the
barcode string they could browse through all patron images:
<img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=XXXX">
To reproduce:
- Enable self checkout, go to [Your Server]//cgi-bin/koha/sco/sco-main.pl
- Log in with a user 'A' who has a patron image
- Copy the address of the patron image into an other browser window
- Change the borrowernumber to on of an other user 'B' having a patron image
- Verify that the patron image is displayed
To test:
- Apply patch, restart plack / memcached
- Try to reproduce
- Verify that you can no longer display the image of user 'B' by
tweaking the image address
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list