Main Koha release repository https://koha-community.org
Find a file
Magnus Enger d20c9ff588
Bug 22543: Prevent "back and refresh attack"
To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
  of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
  you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
  sure you have a user with self_check permissions, then setting
  WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
  AutoSelfCheckPass appropriately. Then visit
  /cgi-bin/koha/sco/sco-main.pl and verify everything works as
  expected.

The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.

This fix was originally proposed by LMSCloud:
74a7fe0f0c

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-11-27 11:30:18 +00:00
acqui Bug 23721: Use basketgroup's name to name the CSV export file 2019-11-21 11:33:49 +00:00
admin Bug 23398: Disable the XML import/export format for biblio framework 2019-11-08 12:51:16 +00:00
api/v1 Bug 23859: Make POST add the Location header on cities endpoint 2019-11-01 08:48:18 +00:00
authorities
basket
C4 Bug 22543: Prevent "back and refresh attack" 2019-11-27 11:30:18 +00:00
catalogue Bug 23846: Display degraded view when MARCXML is invalid (staff detail) 2019-11-13 08:04:15 +00:00
cataloguing Bug 23851: Add the homebranch prefix to the barcode when adding multiple copies of an items 2019-11-08 12:56:20 +00:00
circ Bug 20194: Display both biblioitems.itemtype and items.itype in circulation screens 2019-11-03 07:50:19 +00:00
clubs
course_reserves
debian Bug 22857: (QA follow-up) Cosmetic changes: typo, whitespace 2019-11-08 12:53:55 +00:00
docs Update docs/teams.yaml for 19.11.x development cycle 2019-10-22 15:15:33 +01:00
errors
etc Bug 22857: (QA follow-up) Cosmetic changes: typo, whitespace 2019-11-08 12:53:55 +00:00
ill
installer Bug 23256: Remove the http:// prefix before OPACBaseURL in OPAC_REG_VERIFY 2019-11-26 11:45:14 +00:00
Koha Bug 23927: Do not copy invoiceid for a new duplicated order 2019-11-27 09:18:27 +00:00
koha-tmpl Bug 23451: Fix other similar wrong filterings 2019-11-27 11:30:18 +00:00
labels
members Bug 24113: guarantor info lost when a duplicate is found 2019-11-27 07:51:04 +00:00
misc Bug 23452: Multiple select options in system preferences are not translatable 2019-11-26 11:45:41 +00:00
offline_circ
opac Bug 23846: Handle exception gracefully at the OPAC 2019-11-13 08:04:23 +00:00
OpenILS
patron_lists
patroncards
plugins
reports Bug 23805: (QA follow-up) Corrections for cash_register_stats 2019-10-31 17:49:54 +00:00
reserve Bug 22922: Use jQuery datepicker instead of <input type="date"> 2019-10-21 10:01:01 +01:00
reviews
rotating_collections
serials Bug 23435: Add multiple copies of an item when receiving in serials 2019-10-17 14:59:40 +01:00
services
skel
suggestion Bug 23854: Fix failure on dates when editing a suggestion 2019-11-13 17:16:24 +00:00
svc Bug 23427: Simplify sort logic 2019-11-07 13:25:10 +00:00
t Bug 23927: Add tests 2019-11-27 09:18:27 +00:00
tags
tmp/modified_authorities
tools Bug 23762: Editing is_html status of email template fails under multi-languages 2019-11-03 07:34:52 +00:00
virtualshelves
xt
.editorconfig
.eslintrc.json Bug 23834: Add default ESLint configuration 2019-11-03 08:02:39 +00:00
.gitignore
.htaccess
.mailmap
.scss-lint.yml
about.pl Bug 23655: Restore debian Jessie support 2019-10-26 12:07:49 +01:00
changelanguage.pl
fix-perl-path.PL
gulpfile.js
help.pl
INSTALL
Koha.pm Bug 23293: DBRev 19.06.00.050 2019-11-07 13:20:40 +00:00
koha_perl_deps.pl
kohaversion.pl
LICENSE
mainpage.pl
Makefile.PL Bug 23834: (RM follow-up) Add new file to Makefile.PL 2019-11-04 10:10:04 +00:00
MANIFEST.SKIP
package.json Bug 23025: security vulnerability detected in fstream < 1.0.12 defined in yarn.lock 2019-11-27 11:30:17 +00:00
README
README.md
README.robots
rewrite-config.PL
yarn.lock Bug 23025: Update yarn.lock 2019-11-27 11:30:17 +00:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo