[Koha-patches] [PATCH] C4/Auth.pm: $session->param('id') should be checked before being compared.
Sébastien Hinderer
Sebastien.Hinderer at snv.jussieu.fr
Tue Sep 29 10:41:28 CEST 2009
LAURENT Henri-Damien (2009/09/29 10:23 +0200):
> Sébastien Hinderer a écrit :
> > Without this check, a warning is printed to syslog when one visits an
> > URL such as
> > http://intranet/cgi-bin/koha/cataloguing/additem.pl?biblionumber=3000
> > without being logged in.
> >
> Is it not the expected behaviour ?
>
> In my opinion, in that case, it can be a security failure or issue. You
> HAVE to log that.
It's true that it is for testing that I found it useful to access this
RL directly. That being said:
(1) even on a production system it happens that being able to enter the
URL of a page to visit (with the biblionumber included) turns out o be
useful. Moreover, this warning apart Koha behaves as it should: it
requires the user to log in, which is just fine. So no security problem
here.
(3) If you really want something to be logged, then perhaps it should be
something more relevant, because this Perl warning about a string not
being defined during a string comparison is not very explicit and can't
IMO help admins to detect potential security problems.
Sébastien.
More information about the Koha-patches
mailing list