From e4bb59683f823c58df6574043d9e2cf0b8aacb02 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Fri, 26 Apr 2024 08:32:52 +0000 Subject: [PATCH] Bug 36700: Fix underscore in CSRF header Also change the cache key in template plugin. And the X- header that had an underscore in svc script. Signed-off-by: Martin Renvoize --- Koha/Middleware/CSRF.pm | 2 +- Koha/Template/Plugin/Koha.pm | 2 +- koha-tmpl/intranet-tmpl/prog/js/fetch/http-client.js | 6 +++--- svc/authentication | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Koha/Middleware/CSRF.pm b/Koha/Middleware/CSRF.pm index afa581fa38..b34208ec6c 100644 --- a/Koha/Middleware/CSRF.pm +++ b/Koha/Middleware/CSRF.pm @@ -50,7 +50,7 @@ sub call { } elsif ( $stateful_methods{$request_method} ) { # Get the CSRF token from the param list or the header - my $csrf_token = $req->param('csrf_token') || $req->header('CSRF_TOKEN'); + my $csrf_token = $req->param('csrf_token') || $req->header('CSRF-TOKEN'); if ( defined $req->param('op') && $original_op !~ m{^cud-} ) { $error = sprintf "Programming error - op '%s' must start with 'cud-' for %s %s (referer: %s)", $original_op, diff --git a/Koha/Template/Plugin/Koha.pm b/Koha/Template/Plugin/Koha.pm index 55671d2199..0b69249779 100644 --- a/Koha/Template/Plugin/Koha.pm +++ b/Koha/Template/Plugin/Koha.pm @@ -110,7 +110,7 @@ sub GenerateCSRF { my ($self) = @_; my $memory_cache = Koha::Cache::Memory::Lite->get_instance; - my $cache_key = "CSRF_TOKEN"; + my $cache_key = "CSRF-TOKEN"; my $cached = $memory_cache->get_from_cache($cache_key); return $cached if $cached; diff --git a/koha-tmpl/intranet-tmpl/prog/js/fetch/http-client.js b/koha-tmpl/intranet-tmpl/prog/js/fetch/http-client.js index 385d0e11a9..2403b035c7 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/fetch/http-client.js +++ b/koha-tmpl/intranet-tmpl/prog/js/fetch/http-client.js @@ -86,7 +86,7 @@ class HttpClient { ? params.body : JSON.stringify(params.body) : undefined; - let csrf_token = { csrf_token: this.csrf_token }; + let csrf_token = { "CSRF-TOKEN": this.csrf_token }; let headers = { ...csrf_token, ...params.headers }; return this._fetchJSON( params.endpoint, @@ -107,7 +107,7 @@ class HttpClient { ? params.body : JSON.stringify(params.body) : undefined; - let csrf_token = { csrf_token: this.csrf_token }; + let csrf_token = { "CSRF-TOKEN": this.csrf_token }; let headers = { ...csrf_token, ...params.headers }; return this._fetchJSON( params.endpoint, @@ -123,7 +123,7 @@ class HttpClient { } delete(params = {}) { - let csrf_token = { csrf_token: this.csrf_token }; + let csrf_token = { "CSRF-TOKEN": this.csrf_token }; let headers = { ...csrf_token, ...params.headers }; return this._fetchJSON( params.endpoint, diff --git a/svc/authentication b/svc/authentication index 409c2832c1..6d8fc571ac 100755 --- a/svc/authentication +++ b/svc/authentication @@ -62,5 +62,5 @@ if ( $status eq "ok" ) { ); $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } ); } -print $query->header( -type => 'text/xml', cookie => $cookie, -'X-CSRF_TOKEN' => $csrf_token ); +print $query->header( -type => 'text/xml', cookie => $cookie, -'X-CSRF-TOKEN' => $csrf_token ); print XMLout( { status => $status }, NoAttr => 1, RootName => 'response', XMLDecl => 1 ); -- 2.39.5