From 6fba85d23bf419516111ff959bb5ab7c67ee6414 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 26 Apr 2022 15:03:05 -0300 Subject: [PATCH] Bug 29924: Avoid leaking information on wrong credentials If the passed credentials are wrong, we shouldn't expose things like the password is expired. This patch takes care of that. To test: 1. Have a known patron with password_expiration_date set so its password is expired. Can be done like: $ koha-mysql kohadev > UPDATE borrowers \ SET password_expiration_date='2022-04-25' \ WHERE borrowernumber=132; Note: change the borrowernumber 2. Attempt to login to the OPAC with wrong credentials => SUCCESS: You are rejected, with a message telling credentials are wrong => FAIL: You are told the password is expired. 3. Apply this patch and restart Plack 4. Repeat 2 => SUCCESS: You are rejected, credentials are wrong and no mention to password being expired. Signed-off-by: Tomas Cohen Arazi Signed-off-by: Fridolin Somers --- C4/Auth.pm | 1 - koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 26066bb32d..48b73bca50 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1407,7 +1407,6 @@ sub checkauth { PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"), opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'}, too_many_login_attempts => ( $patron and $patron->account_locked ), - password_has_expired => ( $patron and $patron->password_expired ) ); $template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') ); diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt index 9f0df7bd08..acba29d1b0 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ -167,7 +167,7 @@ [% END # /IF GoogleOpenIDConnect %] [% END # /UNLESS OPACShibOnly %] - [% IF password_has_expired %] + [% IF !(invalid_username_or_password || too_many_login_attempts) and password_has_expired %]

Error: Your password has expired!

-- 2.39.5