Main Koha release repository https://koha-community.org
Find a file
Magnus Enger d20c9ff588
Bug 22543: Prevent "back and refresh attack"
To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
  of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
  you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
  sure you have a user with self_check permissions, then setting
  WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
  AutoSelfCheckPass appropriately. Then visit
  /cgi-bin/koha/sco/sco-main.pl and verify everything works as
  expected.

The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.

This fix was originally proposed by LMSCloud:
74a7fe0f0c

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-11-27 11:30:18 +00:00
acqui Bug 23721: Use basketgroup's name to name the CSV export file 2019-11-21 11:33:49 +00:00
admin Bug 23398: Disable the XML import/export format for biblio framework 2019-11-08 12:51:16 +00:00
api/v1 Bug 23859: Make POST add the Location header on cities endpoint 2019-11-01 08:48:18 +00:00
authorities Bug 19994: Used Modern::Perl in Authorities perl scripts 2019-01-28 14:58:23 +00:00
basket Bug 11529: Add templates for biblio title display. Unify display. 2019-08-05 15:03:19 +01:00
C4 Bug 22543: Prevent "back and refresh attack" 2019-11-27 11:30:18 +00:00
catalogue Bug 23846: Display degraded view when MARCXML is invalid (staff detail) 2019-11-13 08:04:15 +00:00
cataloguing Bug 23851: Add the homebranch prefix to the barcode when adding multiple copies of an items 2019-11-08 12:56:20 +00:00
circ Bug 20194: Display both biblioitems.itemtype and items.itype in circulation screens 2019-11-03 07:50:19 +00:00
clubs Bug 18632: Remove 'CGI::param called in list context' warnings 2017-05-28 22:25:22 -04:00
course_reserves Bug 21003: Removed warning and changed wording on add_items-step2.tt 2019-03-23 09:51:36 +00:00
debian Bug 22857: (QA follow-up) Cosmetic changes: typo, whitespace 2019-11-08 12:53:55 +00:00
docs Update docs/teams.yaml for 19.11.x development cycle 2019-10-22 15:15:33 +01:00
errors Bug 19998: use Modern::Perl in error perl scripts 2018-02-05 09:45:48 -03:00
etc Bug 22857: (QA follow-up) Cosmetic changes: typo, whitespace 2019-11-08 12:53:55 +00:00
ill Bug 21460: (follow-up) Fix bugs found in QA 2019-04-25 10:46:56 +00:00
installer Bug 23256: Remove the http:// prefix before OPACBaseURL in OPAC_REG_VERIFY 2019-11-26 11:45:14 +00:00
Koha Bug 23927: Do not copy invoiceid for a new duplicated order 2019-11-27 09:18:27 +00:00
koha-tmpl Bug 23451: Fix other similar wrong filterings 2019-11-27 11:30:18 +00:00
labels Bug 21206: Replace C4::Items::GetItem 2019-02-26 13:24:07 +00:00
members Bug 24113: guarantor info lost when a duplicate is found 2019-11-27 07:51:04 +00:00
misc Bug 23452: Multiple select options in system preferences are not translatable 2019-11-26 11:45:41 +00:00
offline_circ Bug 22600: Add 'interface' to accountlines 2019-04-10 19:43:11 +00:00
opac Bug 23846: Handle exception gracefully at the OPAC 2019-11-13 08:04:23 +00:00
OpenILS
patron_lists Bug 19524: Use existing logged_in_user variable 2018-07-18 16:49:30 +00:00
patroncards Bug 21719: Fix typos 2018-11-08 02:18:46 +00:00
plugins Bug 21073: (QA follow-up) Avoid unnecessary unless/else construct 2019-06-18 17:30:44 +01:00
reports Bug 23805: (QA follow-up) Corrections for cash_register_stats 2019-10-31 17:49:54 +00:00
reserve Bug 22922: Use jQuery datepicker instead of <input type="date"> 2019-10-21 10:01:01 +01:00
reviews Bug 18789: Send Koha::Patron object to the templates 2018-02-16 13:03:58 -03:00
rotating_collections Bug 21500: Remove warnings in rotating collections 2018-10-09 15:02:45 +00:00
serials Bug 23435: Add multiple copies of an item when receiving in serials 2019-10-17 14:59:40 +01:00
services Bug 20019: use Modern::Perl in misc perl scripts 2018-02-05 09:47:08 -03:00
skel
suggestion Bug 23854: Fix failure on dates when editing a suggestion 2019-11-13 17:16:24 +00:00
svc Bug 23427: Simplify sort logic 2019-11-07 13:25:10 +00:00
t Bug 23927: Add tests 2019-11-27 09:18:27 +00:00
tags Bug 11529: Add templates for biblio title display. Unify display. 2019-08-05 15:03:19 +01:00
tmp/modified_authorities
tools Bug 23762: Editing is_html status of email template fails under multi-languages 2019-11-03 07:34:52 +00:00
virtualshelves Bug 11529: Add templates for biblio title display. Unify display. 2019-08-05 15:03:19 +01:00
xt Bug 21576: Keep compatibility with QA script 2018-10-26 17:09:52 +00:00
.editorconfig
.eslintrc.json Bug 23834: Add default ESLint configuration 2019-11-03 08:02:39 +00:00
.gitignore Bug 20427: Convert OPAC LESS to SCSS 2018-08-09 15:17:07 +00:00
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap Update mailmap - Jonathan Druart 2017-06-21 12:42:19 -03:00
.scss-lint.yml Bug 21237: Clean up staff client SCSS 2018-08-24 16:23:25 +00:00
about.pl Bug 23655: Restore debian Jessie support 2019-10-26 12:07:49 +01:00
changelanguage.pl Bug 21299: (QA follow-up) Rename module and subroutine 2018-11-07 21:52:17 +00:00
fix-perl-path.PL Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
gulpfile.js Bug 21751: Replace fixFloat with HC-sticky to fix Chrome display 2019-02-04 14:13:35 +00:00
help.pl Bug 19817: Use the language from the interface if valid 2018-09-06 17:32:28 +00:00
INSTALL Bug 17626: Remove existing install instructions and link to the wiki pages instead 2016-11-22 11:29:07 +00:00
Koha.pm Bug 23293: DBRev 19.06.00.050 2019-11-07 13:20:40 +00:00
koha_perl_deps.pl Bug 20019: use Modern::Perl in misc perl scripts 2018-02-05 09:47:08 -03:00
kohaversion.pl Bug 13758: Move the Koha version from kohaversion.pl 2015-05-07 11:39:04 -03:00
LICENSE
mainpage.pl Bug 21907: Fix article requests count for non-superlibrarians 2019-02-04 14:50:40 +00:00
Makefile.PL Bug 23834: (RM follow-up) Add new file to Makefile.PL 2019-11-04 10:10:04 +00:00
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
package.json Bug 23025: security vulnerability detected in fstream < 1.0.12 defined in yarn.lock 2019-11-27 11:30:17 +00:00
README
README.md Bug 15465: Fix typo in bugs.k-c.org 2017-05-26 11:45:31 -03:00
README.robots
rewrite-config.PL Bug 17851: Add elasticsearch config to koha-conf.xml 2019-10-07 14:09:10 +01:00
yarn.lock Bug 23025: Update yarn.lock 2019-11-27 11:30:17 +00:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo