Bug 21325: Prevent authentication when sending userid and password in querystring

This patch permits authentication via userid/password only when the
HTTP method is POST when using C4::Auth::checkauth().

The goal is to stop people from supplying userid and password in querystrings
in order to log into web pages.

Test plan:
0. Do not apply patch yet
1. Open a new browser (ie we don't want any existing CGISESSID cookies
available - opening a new tab/window isn't enough. It must be a
new instance or you can clear your cookies)
2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
3. Note the user has been logged in and is being asked to confirm hold.

4. Apply the patch

5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha
6. Note the user is not logged in and the user is presented with a login screen

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

C4/Auth.pm

@@ -1093,10 +1093,13 @@ sub checkauth {
                 }
                 else {
                     my $retuserid;
-                    ( $return, $cardnumber, $retuserid, $cas_ticket ) =
-                      checkpw( $dbh, $q_userid, $password, $query, $type );
-                    $userid = $retuserid if ($retuserid);
-                    $info{'invalid_username_or_password'} = 1 unless ($return);
+                    my $request_method = $query->request_method();
+                    if ($request_method eq 'POST'){
+                        ( $return, $cardnumber, $retuserid, $cas_ticket ) =
+                          checkpw( $dbh, $q_userid, $password, $query, $type );
+                        $userid = $retuserid if ($retuserid);
+                        $info{'invalid_username_or_password'} = 1 unless ($return);
+                    }
                 }
             }