https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719
--- Comment #5 from David Cook <[email protected]> --- (In reply to David Cook from comment #4) > (In reply to Tomás Cohen Arazi (tcohen) from comment #3) > > Bug 40736 makes the condition display a nicer message. This one goes further > > by implementing this missing flow. > > Sounds good to me! I can't think of any reason why you wouldn't want to do > that. I'll make a note to return to this. Happy to QA if someone else signs > off. Hmm back on https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40736#c9 I said that this idea of creating a session where it's missing would be a CSRF vulnerability. I was probably thinking that a phisher could cause someone to do a GET to http://localhost:8080/api/v1/public/oauth/login/test/opac which would then yield a state change (ie a login) if they were already authenticated with the IdP. At that point then, they could try to exploit an XSS attack or further CSRF... I'm not sure how viable that it, but I think that's probably what my thought process was. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
