Main Koha release repository https://koha-community.org
Find a file
Jonathan Druart f01720808a Bug 16593: Do not allow patrons to delete search history of others patrons
A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.

To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB

Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface

Reported by Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 11:47:29 +00:00
acqui Bug 15531: (QA followup) Fix several small issues 2016-04-29 13:07:18 +00:00
admin Bug 13074: Use Koha::Cache to cache the defaults values of a MARC record 2016-06-17 14:29:59 +00:00
api/v1 Bug 13903: (QA followup) change routes to /holds 2016-05-04 13:54:01 +00:00
authorities Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
basket Bug 16447: Remove occurrence of the borrow permission which does no longer exist 2016-05-05 21:28:14 +00:00
C4 Bug 16534: (followup) - Tidy AddIssue 2016-06-24 11:45:01 +00:00
catalogue Bug 16593: Do not allow patrons to delete search history of others patrons 2016-06-24 11:47:29 +00:00
cataloguing Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
circ Bug 16527: Restore sticky due date behavior 2016-06-24 11:46:35 +00:00
course_reserves Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
debian Bug 16647: update debian/control for 16.* 2016-06-10 17:06:36 +00:00
docs Revert "Bug 7143 - Bug for tracking changes to the about page" 2016-06-04 15:46:28 +03:00
errors Bug 15288: Error pages: Code duplication removal and better translatability 2016-01-27 05:57:34 +00:00
etc Bug 15555: Index 024$a into Identifier-other:u url register when source $2 is uri 2016-04-29 13:19:28 +00:00
install_misc Bug 15303 Letsencrypt option for Debian package installations 2016-04-29 13:04:31 +00:00
installer Bug 10459 - DBRev 16.06.00.002 2016-06-10 17:15:21 +00:00
Koha Bug 16720: Remove DBIx ActionLogs.pm 2016-06-17 14:37:55 +00:00
koha-tmpl Bug 16534: (followup) Correct tiny typo 2016-06-24 11:45:01 +00:00
labels Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
members Bug 14605 - Corrects the individual fine's description 2016-06-10 17:34:08 +00:00
misc Bug 16672: Fix typo unqiue vs unique 2016-06-17 15:45:54 +00:00
offline_circ Bug 15764: Fix timestamp sent by KOCT 2016-02-23 20:53:18 +00:00
opac Bug 16593: Do not allow patrons to delete search history of others patrons 2016-06-24 11:47:29 +00:00
OpenILS Bug 9239 QA follow-up: remove stray debug code 2013-03-16 21:32:34 -04:00
patron_lists Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
patroncards Bug 16747 - Patron card creator broken with version 16.05 2016-06-21 20:48:50 +00:00
plugins Bug 14951: Remove C4::Dates from plugins/*.pl files 2015-10-06 10:29:42 -03:00
reports Bug 16594: Fix obvious QA issues from bug 11371 2016-06-17 14:53:45 +00:00
reserve Bug 16693: Remove reserve/renewscript.pl 2016-06-17 15:58:03 +00:00
reviews Bug 14779: Cannot paginate reviews 2015-09-07 11:38:26 -03:00
rotating_collections Bug 15066: Make transfer rotating collection works under Plack 2015-11-05 09:50:09 -03:00
selenium Adding selenium tests for filterMembers 2009-09-30 11:30:37 +02:00
serials Bug 16154: Fix some other occurrences 2016-04-26 23:16:44 +00:00
services Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
skel Bug 11078: Add locking to rebuild_zebra 2014-02-28 22:21:41 +00:00
sms Bug 15258: Fix Perl scripts declaring unused variables 2015-12-30 17:24:45 -07:00
suggestion Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00
svc Bug 16508: Updating a syspref requires parameters_remaining_permissions 2016-06-06 17:33:18 +00:00
t Bug 16534: Add tests for AddIssue 2016-06-24 11:45:00 +00:00
tags Bug 16154: CGI->multi_param - Assign a list 2016-04-26 23:16:43 +00:00
test Bug 9819 - 'stopwords'-related code removed 2015-12-30 15:49:35 +00:00
tmp/modified_authorities changing DO_NOT_REMOVE to README.txt 2007-10-21 19:14:41 -05:00
tools Bug 16148 - Revised layout and behavior of marc modification template management 2016-06-17 16:11:43 +00:00
virtualshelves Bug 16484 - Virtualshelves: Using no XSLTResultsDisplay breaks content display in intranet 2016-05-23 17:25:24 +00:00
xt Bug 16174: (QA followup) Fix remaining tests 2016-04-01 19:11:33 +00:00
.editorconfig Bug 12545: Add EditorConfig.org file to the source tree 2014-08-22 11:07:45 -03:00
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap (RM followup) .mailmap updates 2015-05-22 17:02:21 -03:00
about.pl Bug 12721 - Syspref StatisticsFields: Warning on About page and text change in System preferences 2016-04-29 02:48:30 +00:00
changelanguage.pl Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
edithelp.pl Bug 16447: Remove occurrence of the borrow permission which does no longer exist 2016-05-05 21:28:14 +00:00
fix-perl-path.PL Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
help.pl Bug 14812: Display the help in the correct language 2015-10-02 15:06:08 -03:00
INSTALL Bug 7759, update of install files to use background indexing (and some whitespace tidy) 2012-04-20 16:11:52 +02:00
install-CPAN.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
INSTALL.debian Bug 8092 follow-up: Add optional dependency on CHI 2012-06-09 13:08:18 +02:00
INSTALL.fedora7 Bug 13642 - Remove MARC::Crosswalk::DublinCore from Koha 2016-01-27 06:23:08 +00:00
INSTALL.opensuse Bug 11757: remove dependency on POE 2014-02-15 01:38:15 +00:00
INSTALL.ubuntu Bug 7764: (follow-up) editorial tweaks 2013-10-04 16:27:55 +00:00
Koha.pm Bug 10459 - DBRev 16.06.00.002 2016-06-10 17:15:21 +00:00
koha_perl_deps.pl bug 10548: fix count of missing required dependencies by koha_perl_deps.pl 2013-07-11 14:03:32 +00:00
kohaversion.pl Bug 13758: Move the Koha version from kohaversion.pl 2015-05-07 11:39:04 -03:00
LICENSE Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
mainpage.pl Bug 15548: Move new patron related code to Patron* 2016-03-03 14:38:26 -07:00
Makefile.PL Bug 16222: (QA followup) Add /api dir for the API 2016-04-20 21:18:36 +00:00
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
README Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
README.md Bug 15465 [QA Followup] - Update wording, switch logo, add links 2016-02-24 04:02:26 +00:00
README.robots Bug 6411 add another example to README.robots 2011-07-05 14:48:05 +12:00
rewrite-config.PL Bug 16222: (QA followup) Add /api dir for the API 2016-04-20 21:18:36 +00:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-comminity.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo