[Koha-bugs] [Bug 37785] New: Remove dead code in tools/letter.tt that looks like a form that would POST without an op

Thu, 29 Aug 2024 21:07:54 -0700 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37785

            Bug ID: 37785
           Summary: Remove dead code in tools/letter.tt that looks like a
                    form that would POST without an op
 Change sponsored?: ---
           Product: Koha
           Version: Main
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Tools
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
        Depends on: 36192
            Blocks: 37728

We intend not to have forms with method="post" without an op variable (so we
can check that the op starts with "cud-" as part of the CSRF protection), but
because of bug 37728 some were missed.

In tools/letter.tt that's two forms,
https://git.koha-community.org/Koha-community/Koha/src/commit/4f524635516325bfe6b56ddf96476c03086956b6/koha-tmpl/intranet-tmpl/prog/en/modules/tools/letter.tt#L552
which is shown IF ( add_validate or copy_validate) and one a bit further down
at #L594 which is shown IF ( delete_confirmed ).

To someone that knows how are templates work, that would sound like either the
op which wants to show them would be add_validate or copy_validate or
delete_confirmed, or more likely in the current era it would be
cud-add_validate etc., which either sets the param add_validate, or was broken
by the change to cud-ops.

These two are different, though. If you look back through blame history for
every change to letter.pl for the ops in question, they have never, ever, let
their op be defined for a template to show a confirmation message. Currently
they do "$op = q{}; # we return to the default screen for the next operation",
if you go back to the dawn of time, prior to rel_3_0 moved to HEAD, they
started out doing "print $input->redirect("letter.pl");".

I'd like to have a better term than "dead code" for something which has been
unreachable since it was copy-pasted from some other template, but I can't come
up with an inoffensive one.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
[Bug 36192] [OMNIBUS] CSRF Protection for Koha
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728
[Bug 37728] More "op" are missing in POSTed forms
-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to