Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/opac
History
Fridolin Somers 904e926ba0 Bug 26904: OPAC password recovery allows regexp in email 
When using OPAC password recovery form, opac/opac-password-recovery.pl :
if one provides correct login and an email, there is a check that this email is one of patron's.

This check uses RegExp with case insensitive :
  if ( $email && !( any { /^$email$/i } @emails ) )

This is a security issue since one can simply enter '.*'.
Severity is normal because the login must be a correct.

I propose to use simple string compare with lowercase to be case insensitive.

Test plan :
1) Don't apply patch
2) Enable system preference 'OpacResetPassword'
3) Go to 'OPAC > Log in to your account > Forgot your password?'
4) Enter an existing userid or cardnumber and '.*' in 'Email'
5) The password recovery is created ! (check table 'borrower_password_recovery')
6) Apply patch
7) Enter an existing userid or cardnumber and '.*' in 'Email'
8) You get the message 'No account was found with the provided information.'
9) Enter an existing userid or cardnumber and in 'Email' the corresponding email but with different case
10) The password recovery is created (check table 'borrower_password_recovery')

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-11-09 16:18:25 +01:00
..
clubs Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
errors Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
external/overdrive Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
rss
sci Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
sco Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
svc Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
ilsdi.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
maintenance.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
oai.pl Bug 14939: Modularize OAI Server existing classes 2015-12-31 15:15:05 +00:00
opac-account-pay-paypal-return.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-account-pay-return.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-account-pay.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-account.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-addbybiblionumber.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-alert-subscribe.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-article-request-cancel.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-authorities-home.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-authoritiesdetail.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-basket.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-blocked.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-browse.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-browser.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-changelanguage.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-course-details.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-course-reserves.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-detail.pl Bug 26145: Allow multi covers per item 2020-10-12 11:28:41 +02:00
opac-discharge.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-downloadcart.pl Bug 5087: Add server-side check 2020-07-23 11:17:27 +02:00
opac-downloadshelf.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-export.pl Bug 22075: Fix encoding problem with RIS export in OPAC 2019-04-11 11:47:17 +00:00
opac-ics.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-idref.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-illrequests.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-image.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-imageviewer.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-ISBDdetail.pl Bug 18936: (follow-up) Fix tests, replace old get_onshelfholds_policy method 2020-02-04 09:56:25 +00:00
opac-issue-note.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-library.pl Bug 13388: Add library pages to the OPAC 2020-05-04 09:11:03 +01:00
opac-main.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-MARCdetail.pl Bug 21395: Make perlcritic happy 2020-06-29 12:37:02 +02:00
opac-memberentry.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-messaging.pl Bug 24663: Remove authnotrequired if set to 0 2020-09-03 10:40:35 +02:00
opac-modrequest-suspend.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-modrequest.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-mymessages.pl Bug 24663: Remove authnotrequired if set to 0 2020-09-03 10:40:35 +02:00
opac-news-rss.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-overdrive-search.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-passwd.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-password-recovery.pl Bug 26904: OPAC password recovery allows regexp in email 2020-11-09 16:18:25 +01:00
opac-patron-consent.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-patron-image.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-privacy.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-ratings-ajax.pl Bug 19991: use Modern::Perl in OPAC perl scripts 2018-08-30 13:40:32 +00:00
opac-ratings.pl Bug 19991: use Modern::Perl in OPAC perl scripts 2018-08-30 13:40:32 +00:00
opac-readingrecord.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-recordedbooks-search.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-registration-verify.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-renew.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-reportproblem.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-request-article.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-reserve.pl Bug 22806: (QA follow-up) 2020-11-02 11:03:08 +01:00
opac-restrictedpage.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-retrieve-file.pl Bug 17501: Move getCategories and httpheaders from Upload.pm 2017-01-20 14:20:05 +00:00
opac-review.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-routing-lists.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-search-history.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-search.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-sendbasket.pl Bug 22343: (QA follow-up) Wrap email creation inside the try/catch block 2020-10-02 10:54:41 +02:00
opac-sendshelf.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-serial-issues.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-shareshelf.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-shelves.pl Bug 26752: Convert OPAC list download modal to dropdown 2020-10-26 00:04:18 +01:00
opac-showmarc.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-showreviews.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-suggestions.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-tags.pl Bug 23276: Do not display tag if pref TagsEnabled is off 2020-06-15 10:32:29 +02:00
opac-tags_subject.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-topissues.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
opac-user.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
tracklinks.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
unapi Bug 24052: Rename XSLT_Handler 2020-03-24 10:42:23 +00:00