Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 22543: Prevent "back and refresh attack"

Browse source 
To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
  of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
  you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
  sure you have a user with self_check permissions, then setting
  WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
  AutoSelfCheckPass appropriately. Then visit
  /cgi-bin/koha/sco/sco-main.pl and verify everything works as
  expected.

The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.

This fix was originally proposed by LMSCloud:
74a7fe0f0c

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This commit is contained in:
Magnus Enger 2019-09-06 09:54:04 +02:00 committed by Martin Renvoize
parent 5a8f202cb2
commit d20c9ff588
Signed by: martin.renvoize
GPG key ID: 422B469130441A0F
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
C4/Auth.pm
View file

@ -1211,6 +1211,18 @@ sub checkauth {
);
}
# In case, that this request was a login attempt, we want to prevent that users can repost the opac login
# request. We therefore redirect the user to the requested page again without the login parameters.
# See Post/Redirect/Get (PRG) design pattern: https://en.wikipedia.org/wiki/Post/Redirect/Get
if ( $type eq "opac" && $query->param('koha_login_context') && $query->param('koha_login_context') ne 'sco' && $query->param('password') && $query->param('userid') ) {
my $uri = URI->new($query->url(-relative=>1, -query_string=>1));
$uri->query_param_delete('userid');
$uri->query_param_delete('password');
$uri->query_param_delete('koha_login_context');
print $query->redirect(-uri => $uri->as_string, -cookie => $cookie, -status=>'303 See other');
exit;
}
track_login_daily( $userid );
return ( $userid, $cookie, $sessionID, $flags );