[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Jonathan Druart changed: What|Removed |Added Blocks||28660 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28660 [Bug 28660] Self checkout is not automatically logging in -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #19 from Katrin Fischer --- (In reply to Fridolin Somers from comment #18) > I propose we don't backport to stable branches to avoid breaking existing > authentications. I agree, this could block libraries depending on it from getting other bugfixes. Better to give them a little bit of time. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Fridolin Somers changed: What|Removed |Added CC||fridolin.som...@biblibre.co ||m --- Comment #18 from Fridolin Somers --- I propose we don't backport to stable branches to avoid breaking existing authentications. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Jonathan Druart changed: What|Removed |Added Keywords|release-notes-needed| CC||jonathan.dru...@bugs.koha-c ||ommunity.org -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #17 from David Cook --- (In reply to Nick Clemens from comment #16) > Should we do the same for svc scripts? > https://wiki.koha-community.org/wiki/Koha_/svc/_HTTP_API#GET_.2Fsvc.2Fbib.2F. > 24biblio It would probably be a good idea although more likely to break things. I suppose we should actually double-check all instances of checkpw(). They're in checkauth() but also check_api_auth and a few other places like C4/ILSDI/Services.pm, opac/sco/sco-main.pl, etc. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Nick Clemens changed: What|Removed |Added CC||n...@bywatersolutions.com --- Comment #16 from Nick Clemens --- Should we do the same for svc scripts? https://wiki.koha-community.org/wiki/Koha_/svc/_HTTP_API#GET_.2Fsvc.2Fbib.2F.24biblio -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #15 from David Cook --- *** Bug 27199 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=27199 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 David Cook changed: What|Removed |Added Text to go in the||This change may break release notes||custom or creative (yet ||insecure) authentication ||integration using GET ||requests. These auth ||requests do not exist in ||Koha, but they may be used ||by extensions, ||customizations, or clever ||end users. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #14 from David Cook --- (In reply to Katrin Fischer from comment #13) > I assume we should add something to the release notes about this as it might > be a breaking change for some customizations? Not only customization but also creative authentication by end users. See Bug 27305. Nico was very creative using the querystring to authenticate Google Calendar with Koha. I originally worked on this to stop him from being able to do that, although I feel bad that we don't have a ready feature to replace it for him. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=27305 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Katrin Fischer changed: What|Removed |Added Keywords||release-notes-needed --- Comment #13 from Katrin Fischer --- I assume we should add something to the release notes about this as it might be a breaking change for some customizations? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #12 from Jonathan Druart --- Pushed to master for 21.05, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Jonathan Druart changed: What|Removed |Added Status|Passed QA |Pushed to master Version(s)||21.05.00 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #11 from Jonathan Druart --- Created attachment 119721 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119721=edit Bug 21325: Add tests -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Marcel de Rooy changed: What|Removed |Added QA Contact|testo...@bugs.koha-communit |m.de.r...@rijksmuseum.nl |y.org | --- Comment #10 from Marcel de Rooy --- Few minor questions/remarks: Should we add a warn close to the POST test when we encounter a GET request (or even another) ? Or silently ignore like we do now? (out of scope) While glancing thru Auth, I was surprised that we do not seem to check if the password is not empty. We always pass it to checkpw. You touched the test, but did not add tests. I think the benefits of this small change outweigh the lack of new tests. Lets see if RM thinks so too. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Marcel de Rooy changed: What|Removed |Added Attachment #119601|0 |1 is obsolete|| --- Comment #9 from Marcel de Rooy --- Created attachment 119698 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119698=edit Bug 21325: Fix t/db_dependent/Auth.t test This patch fixes some warnings in t/db_dependent/Auth.t. Note that it doesn't add any tests. Signed-off-by: Owen Leonard Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Marcel de Rooy changed: What|Removed |Added Attachment #119600|0 |1 is obsolete|| --- Comment #8 from Marcel de Rooy --- Created attachment 119697 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119697=edit Bug 21325: Prevent authentication when sending userid and password in querystring This patch permits authentication via userid/password only when the HTTP method is POST when using C4::Auth::checkauth(). The goal is to stop people from supplying userid and password in querystrings in order to log into web pages. Test plan: 0. Do not apply patch yet 1. Open a new browser (ie we don't want any existing CGISESSID cookies available - opening a new tab/window isn't enough. It must be a new instance or you can clear your cookies) 2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29=koha=koha 3. Note the user has been logged in and is being asked to confirm hold. 4. Apply the patch 5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29=koha=koha 6. Note the user is not logged in and the user is presented with a login screen Signed-off-by: Owen Leonard Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Marcel de Rooy changed: What|Removed |Added Status|BLOCKED |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Marcel de Rooy changed: What|Removed |Added Status|Signed Off |BLOCKED --- Comment #7 from Marcel de Rooy --- QA: Looking here -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #6 from Owen Leonard --- Created attachment 119601 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119601=edit Bug 21325: Fix t/db_dependent/Auth.t test This patch fixes some warnings in t/db_dependent/Auth.t. Note that it doesn't add any tests. Signed-off-by: Owen Leonard -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Owen Leonard changed: What|Removed |Added Attachment #114695|0 |1 is obsolete|| Attachment #114696|0 |1 is obsolete|| --- Comment #5 from Owen Leonard --- Created attachment 119600 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=119600=edit Bug 21325: Prevent authentication when sending userid and password in querystring This patch permits authentication via userid/password only when the HTTP method is POST when using C4::Auth::checkauth(). The goal is to stop people from supplying userid and password in querystrings in order to log into web pages. Test plan: 0. Do not apply patch yet 1. Open a new browser (ie we don't want any existing CGISESSID cookies available - opening a new tab/window isn't enough. It must be a new instance or you can clear your cookies) 2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29=koha=koha 3. Note the user has been logged in and is being asked to confirm hold. 4. Apply the patch 5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29=koha=koha 6. Note the user is not logged in and the user is presented with a login screen Signed-off-by: Owen Leonard -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Owen Leonard changed: What|Removed |Added Status|Needs Signoff |Signed Off Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 David Cook changed: What|Removed |Added Assignee|koha-b...@lists.koha-commun |dc...@prosentient.com.au |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #4 from David Cook --- It's a quick and dirty patch, but it works. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #3 from David Cook --- Created attachment 114696 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=114696=edit Bug 21325: Fix t/db_dependent/Auth.t test This patch fixes some warnings in t/db_dependent/Auth.t. Note that it doesn't add any tests. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 --- Comment #2 from David Cook --- Created attachment 114695 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=114695=edit Bug 21325: Prevent authentication when sending userid and password in querystring This patch permits authentication via userid/password only when the HTTP method is POST when using C4::Auth::checkauth(). The goal is to stop people from supplying userid and password in querystrings in order to log into web pages. Test plan: 0. Do not apply patch yet 1. Open a new browser (ie we don't want any existing CGISESSID cookies available - opening a new tab/window isn't enough. It must be a new instance or you can clear your cookies) 2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29=koha=koha 3. Note the user has been logged in and is being asked to confirm hold. 4. Apply the patch 5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29=koha=koha 6. Note the user is not logged in and the user is presented with a login screen -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 David Cook changed: What|Removed |Added Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21325] Prevent authentication when sending userid and password via querystring parameters
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 David Cook changed: What|Removed |Added Summary|Should we still allow user |Prevent authentication when |and password via GET|sending userid and password |parameters? |via querystring parameters -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
