Bug 27849: Koha::Token may access undefined C4::Context->userenv
The _add_default_csrf_params internal function accesses C4::Context->userenv without checking that it has been defined. I think not all of the potential callers of it declare that they require a defined userenv, so we should test and provide defaults for required values if it is not defined, to avoid some "Can't use an undefined value as a HASH reference" HTTP 500 Internal Server Errors. To test: Do anything that requires a form with CSRF token, such as editing your details. Behaviour should be unchanged. To test the failure case, you would need some customised code that indirectly generates a CSRF token before setting the userenv up and I am not sure there is any in released Koha yet. Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Looks good to me. Working as expected. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This commit is contained in:
parent
5ca665f6aa
commit
8c45fe1aaa
1 changed files with 5 additions and 1 deletions
|
@ -214,7 +214,11 @@ sub _add_default_csrf_params {
|
|||
my ( $params ) = @_;
|
||||
$params->{session_id} //= '';
|
||||
if( !$params->{id} ) {
|
||||
$params->{id} = Encode::encode( 'UTF-8', C4::Context->userenv->{id} . $params->{session_id} );
|
||||
if( defined( C4::Context->userenv ) ) {
|
||||
$params->{id} = Encode::encode( 'UTF-8', C4::Context->userenv->{id} . $params->{session_id} );
|
||||
} else {
|
||||
$params->{id} = Encode::encode( 'UTF-8', $params->{session_id} );
|
||||
}
|
||||
} else {
|
||||
$params->{id} .= $params->{session_id};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue