git.koha-community.org Git - koha.git/commit

Bug 26904: OPAC password recovery allows regexp in email

When using OPAC password recovery form, opac/opac-password-recovery.pl :
if one provides correct login and an email, there is a check that this email is one of patron's.

This check uses RegExp with case insensitive :
if ( $email && !( any { /^$email$/i } @emails ) )

This is a security issue since one can simply enter '.*'.
Severity is normal because the login must be a correct.

I propose to use simple string compare with lowercase to be case insensitive.

Test plan :
1) Don't apply patch
2) Enable system preference 'OpacResetPassword'
3) Go to 'OPAC > Log in to your account > Forgot your password?'
4) Enter an existing userid or cardnumber and '.*' in 'Email'
5) The password recovery is created ! (check table 'borrower_password_recovery')
6) Apply patch
7) Enter an existing userid or cardnumber and '.*' in 'Email'
8) You get the message 'No account was found with the provided information.'
9) Enter an existing userid or cardnumber and in 'Email' the corresponding email but with different case
10) The password recovery is created (check table 'borrower_password_recovery')

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Backport to 19.05.x:
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

author	Fridolin Somers <fridolin.somers@biblibre.com>
	Tue, 3 Nov 2020 08:19:34 +0000 (09:19 +0100)
committer	Victor Grousset/tuxayo <victor@tuxayo.net>
	Mon, 23 Nov 2020 14:50:23 +0000 (15:50 +0100)
commit	e9b9e1510641c8385d2a7b8d53fc799f9224464e
tree	fb729ebdd9a7c6b290bb2aafc7d7df0c601dc948	tree \| snapshot
parent	a5c2090ff5853f839a8021d52494cfcba9a2c1be	commit \| diff