[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Apr 14 21:04:30 CEST 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325
Owen Leonard <oleonard at myacpl.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #114695|0 |1
is obsolete| |
Attachment #114696|0 |1
is obsolete| |
--- Comment #5 from Owen Leonard <oleonard at myacpl.org> ---
Created attachment 119600
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119600&action=edit
Bug 21325: Prevent authentication when sending userid and password in
querystring
This patch permits authentication via userid/password only when the
HTTP method is POST when using C4::Auth::checkauth().
The goal is to stop people from supplying userid and password in querystrings
in order to log into web pages.
Test plan:
0. Do not apply patch yet
1. Open a new browser (ie we don't want any existing CGISESSID cookies
available - opening a new tab/window isn't enough. It must be a
new instance or you can clear your cookies)
2. Go to
http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
3. Note the user has been logged in and is being asked to confirm hold.
4. Apply the patch
5. Go to
http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
6. Note the user is not logged in and the user is presented with a login screen
Signed-off-by: Owen Leonard <oleonard at myacpl.org>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list