https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37887
Bug ID: 37887
Summary: OPAC password recovery needs to use a cud- op while
POSTing new password
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P3
Component: OPAC
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Depends on: 36192
Blocks: 37728
The intention of the CSRF protection from bug 36192 was that any form that used
method="post" would have to have a param named 'op' which started with 'cud-'
but the test that verifies they do missed the case of a template with more than
one form. Bug 37728 corrects that, but to land, the things that currently fail
the test need to be fixed.
In opac-password-recovery.tt that's the fairly critical step where the user
sets a new password. Luckily, getting there requires the uniqueKey that's sent
in the recovery email, and if someone has access to that you've already lost
the game, so it's not really a security issue, just something that needs to be
fixed.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
[Bug 36192] [OMNIBUS] CSRF Protection for Koha
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37728
[Bug 37728] More "op" are missing in POSTed forms
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
