]> git.koha-community.org Git - koha.git/commit
Bug 18956: Prevent leaking during password recovery
authorMark Tompsett <mtompset@hotmail.com>
Fri, 25 Aug 2017 19:09:38 +0000 (15:09 -0400)
committerMason James <mtj@kohaaloha.com>
Tue, 24 Oct 2017 08:11:07 +0000 (21:11 +1300)
commita73177611239a9686d2eef306ba4dfc532f0452d
tree2dc20d4d0070a05606c9fb3709d94431dfa1133a
parent7c859a06957c205d28d9f11117d360bab6cf3780
Bug 18956: Prevent leaking during password recovery

TEST PLAN
---------

It is assumed you have set the OpacResetPassword to 'allowed',
and likely in combination with OpacPasswordChange to 'Allowed'.

You will have two patrons: one with and another without
any email address entered. You will want to test this test plan
with both patrons.

$ git checkout -b bug_18956 origin/master

Prepend the following as understood between step sections:
opac -> forgot password and then enter...

correct login/cardnumber, it will email
delete from borrower_password_recovery;

correct email, it will email
delete from borrower_password_recovery;

correct login/cardnumber && correct email, it will email
delete from borrower_password_recovery;

wrong login/cardnumber && correct email, error page as expected
delete from borrower_password_recovery;

correct login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

wrong login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

submit empty -- INTERNAL SERVER ERROR?!
delete from borrower_password_recovery;

-- None of the above step sections displayed email.

correct login/cardnumber, it will email

correct login/cardnumber again, but it leaks email address!
delete from borrower_password_recovery;

correct email, it will email

correct email again, but it leaks login/cardnumber!
delete from borrower_password_recovery;

$ git bz apply 18956
-- choose interactive, and choose this counter patch.

repeat the same test set again
-- no leaks will occur, error message pages returned should
   be reasonable, code should read reasonably.

run koha qa test tools.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt
opac/opac-password-recovery.pl