From 07ce7d8d3b3d3144ce088729e2b402cc6eaeeba5 Mon Sep 17 00:00:00 2001 From: Matthias Meusburger Date: Fri, 5 Feb 2010 12:00:15 +0100 Subject: [PATCH] Bug 5995 : MT2892: Fix security issue in CAS intranet login Users could log in intranet using their cardnumber, with superlibrarian rights. Signed-off-by: Ian Walls Signed-off-by: Chris Cormack Signed-off-by: Chris Nighswonger --- C4/Auth.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 57d9880b6f..b33f677428 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -750,7 +750,7 @@ sub checkauth { $info{'invalidCasLogin'} = 1 unless ($return); } else { my $retuserid; - ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, $password, $query ); + ( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query ); $userid = $retuserid if ($retuserid ne ''); } if ($return) { @@ -1452,7 +1452,7 @@ sub checkpw { C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber, $firstname, $surname, $branchcode, $flags ); - return 1, $cardnumber, $userid; + return 1, $userid; } } $sth = -- 2.39.5