From 2470e225d8791d1b87daaebde2591caab6427d49 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 15 Mar 2017 14:52:49 -0300 Subject: [PATCH] Bug 18275: Do not rely on CGI param userid to log a user in if auth is not required From opac/opac-memberentry.pl, authnotrequired is set. That means a patron can access the page without being logged in. It is used on this page for the self registration feature. From C4::Auth::get_template_and_user, we have $userid = $q_userid; $q_userid is previously set to the 'userid' CGI param. We end up here if authonotrequired is set AND CGISESSID does not exist. Test plan: - Run: $ prove t/db_dependent/Auth.t => FAIL: Regression test for checkauth fails - Apply this patch - Run: $ prove t/db_dependent/Auth.t => SUCCESS: Tests pass. - Sign off :-D Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Kyle M Hall --- C4/Auth.pm | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 20d64a56ae..5dcf1cdd78 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -914,14 +914,13 @@ sub checkauth { -value => $session->id, -HttpOnly => 1 ); - $userid = $q_userid; my $pki_field = C4::Context->preference('AllowPKIAuth'); if ( !defined($pki_field) ) { print STDERR "ERROR: Missing system preference AllowPKIAuth.\n"; $pki_field = 'None'; } if ( ( $cas && $query->param('ticket') ) - || $userid + || $q_userid || ( $shib && $shib_login ) || $pki_field ne 'None' ) { @@ -935,7 +934,7 @@ sub checkauth { my $retuserid; # Do not pass password here, else shib will not be checked in checkpw. - ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, undef, $query ); + ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $q_userid, undef, $query ); $userid = $retuserid; $shibSuccess = $return; $info{'invalidShibLogin'} = 1 unless ($return); @@ -986,7 +985,7 @@ sub checkauth { else { my $retuserid; ( $return, $cardnumber, $retuserid ) = - checkpw( $dbh, $userid, $password, $query, $type ); + checkpw( $dbh, $q_userid, $password, $query, $type ); $userid = $retuserid if ($retuserid); $info{'invalid_username_or_password'} = 1 unless ($return); } @@ -1131,7 +1130,7 @@ sub checkauth { $session->param( 'ip', $session->remote_addr() ); $session->param( 'sessiontype', 'anon' ); } - } # END if ( $userid = $query->param('userid') ) + } # END if ( $q_userid elsif ( $type eq "opac" ) { # if we are here this is an anonymous session; add public lists to it and a few other items... -- 2.39.5