]> git.koha-community.org Git - koha.git/commit
Bug 18956: Prevent leaking during password recovery
authorMark Tompsett <mtompset@hotmail.com>
Fri, 25 Aug 2017 19:09:38 +0000 (15:09 -0400)
committerFridolin Somers <fridolin.somers@biblibre.com>
Mon, 23 Oct 2017 12:28:02 +0000 (14:28 +0200)
commit8933e69863a581a799767af4d0a0e1e7b908e238
treec8e2f56294848bb5894f52e7d1407dc348ebd6b3
parent699ac0eba3b9acc057cdcf317a549df9b416d08c
Bug 18956: Prevent leaking during password recovery

TEST PLAN
---------

It is assumed you have set the OpacResetPassword to 'allowed',
and likely in combination with OpacPasswordChange to 'Allowed'.

You will have two patrons: one with and another without
any email address entered. You will want to test this test plan
with both patrons.

$ git checkout -b bug_18956 origin/master

Prepend the following as understood between step sections:
opac -> forgot password and then enter...

correct login/cardnumber, it will email
delete from borrower_password_recovery;

correct email, it will email
delete from borrower_password_recovery;

correct login/cardnumber && correct email, it will email
delete from borrower_password_recovery;

wrong login/cardnumber && correct email, error page as expected
delete from borrower_password_recovery;

correct login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

wrong login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

submit empty -- INTERNAL SERVER ERROR?!
delete from borrower_password_recovery;

-- None of the above step sections displayed email.

correct login/cardnumber, it will email

correct login/cardnumber again, but it leaks email address!
delete from borrower_password_recovery;

correct email, it will email

correct email again, but it leaks login/cardnumber!
delete from borrower_password_recovery;

$ git bz apply 18956
-- choose interactive, and choose this counter patch.

repeat the same test set again
-- no leaks will occur, error message pages returned should
   be reasonable, code should read reasonably.

run koha qa test tools.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt
opac/opac-password-recovery.pl