[koha-commits] main Koha release repository branch 19.11.x updated. v19.11.11-35-gf287fdfd81

Git repo owner gitmaster at git.koha-community.org
Tue Nov 24 01:39:29 CET 2020 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 19.11.x has been updated
       via  f287fdfd81a2b0c1868c7d089b99ffee4d2e62b3 (commit)
      from  321afcfe745e1423f106bfa435e452191c4a7fd7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f287fdfd81a2b0c1868c7d089b99ffee4d2e62b3
Author: Fridolin Somers <fridolin.somers at biblibre.com>
Date:   Tue Nov 3 09:19:34 2020 +0100

    Bug 26904: OPAC password recovery allows regexp in email
    
    When using OPAC password recovery form, opac/opac-password-recovery.pl :
    if one provides correct login and an email, there is a check that this email is one of patron's.
    
    This check uses RegExp with case insensitive :
      if ( $email && !( any { /^$email$/i } @emails ) )
    
    This is a security issue since one can simply enter '.*'.
    Severity is normal because the login must be a correct.
    
    I propose to use simple string compare with lowercase to be case insensitive.
    
    Test plan :
    1) Don't apply patch
    2) Enable system preference 'OpacResetPassword'
    3) Go to 'OPAC > Log in to your account > Forgot your password?'
    4) Enter an existing userid or cardnumber and '.*' in 'Email'
    5) The password recovery is created ! (check table 'borrower_password_recovery')
    6) Apply patch
    7) Enter an existing userid or cardnumber and '.*' in 'Email'
    8) You get the message 'No account was found with the provided information.'
    9) Enter an existing userid or cardnumber and in 'Email' the corresponding email but with different case
    10) The password recovery is created (check table 'borrower_password_recovery')
    
    Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
    Signed-off-by: Julian Maurice <julian.maurice at biblibre.com>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    (cherry picked from commit 904e926ba0f407b24aa3d94be5afe37b5e3ec075)
    
    Signed-off-by: Lucas Gass <lucas at bywatersolutions.com>
    (cherry picked from commit 57a9bf3ef2e4f25227a10f16cec7fb34e162199e)
    
    Signed-off-by: Aleisha Amohia <aleishaamohia at hotmail.com>

-----------------------------------------------------------------------

Summary of changes:
 opac/opac-password-recovery.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list