]> git.koha-community.org Git - koha.git/commit
Bug 37040: Prevent ErrorDocument subrequests from activating CSRF
authorDavid Cook <dcook@prosentient.com.au>
Thu, 6 Jun 2024 01:34:23 +0000 (01:34 +0000)
committerLucas Gass <lucas@bywatersolutions.com>
Thu, 27 Jun 2024 16:14:34 +0000 (16:14 +0000)
commitcd7123734e344cafa0deca6318012dd2f8a46bd4
tree22c51e4b248db8338b3e94d76e092e95646f4fc0
parent27ffd9bb8a1c66f2e44a19c6f3cb7365cf70c82c
Bug 37040: Prevent ErrorDocument subrequests from activating CSRF

This change improves the mechanism for preventing the CSRF middleware
being activated by ErrorDocument subrequests.

This change was necessary due to a subtle issue identified by
Bug 37041.

Test plan:
0. Apply the patch
1. Restart Koha
koha-plack --restart kohadev
2. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=9908
3. Log in
4. Note that you get a pretty 403 and not an ugly plain text error
5. Go to http://localhost:8081
6. Fill in the login details, but use the HTML inspector to delete
the csrf_token from the hidden inputs
7. Submit the login
8. Note a pretty 403 page

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit c1ac12417612799a0055046e10031943adb02e18)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Koha/Middleware/CSRF.pm