[Koha-bugs] [Bug 7550] Self checkout: limit display of patron image to logged-in patron

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Apr 18 15:18:37 CEST 2017


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7550

Owen Leonard <oleonard at myacpl.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #62272|0                           |1
        is obsolete|                            |

--- Comment #6 from Owen Leonard <oleonard at myacpl.org> ---
Created attachment 62289
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=62289&action=edit
[SIGNED-OFF] Bug 7550 - Self checkout: limit display of patron image to
logged-in patron

The patron image display in the self-checkout takes a GET parameter from
the image source, so if someone copied the image location and
substituted the barcode string they could browse through all patron
images:

<img alt="" src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=XXXX">

To reproduce:
- Enable self checkout, go to [Your
  Server]//cgi-bin/koha/sco/sco-main.pl
- Log in with a user 'A' who has a patron image
- Copy the address of the patron image into an other browser window
- Change the borrowernumber to on of an other user 'B' having a patron
  image
- Verify that the patron image is displayed

To test:
- Apply patch, restart plack / memcached
- Try to reproduce
- Verify that you can no longer display the image of user 'B' by
  tweaking the image address

Signed-off-by: Owen Leonard <oleonard at myacpl.org>

https://bugs.koha-community.org/show_bug.cgi?id=7750

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list