From 6c1da551eae66936837c368cae88845a7ab9a686 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Tue, 15 Jan 2013 21:45:00 -0800 Subject: [PATCH] bug 9401: remove direct reads of CGISESSID cookie by JavaScript Having embedded JavaScript read the session cookie directly is unnecessary and prevents the CGISESSID cookie being marked httpOnly as a security measure. The only Koha JS attempting this was the AJAX tags code. To test: - In general, verify that there are no regression withs adding tags in the OPAC or reviewing them in the staff interface. - In specific, for the OPAC - log into the OPAC - retrieve a bib record - add a tag - refresh the bib details page to verify that the tag was added - make sure the TagsInputOnList syspref is on - perform a search - add a tag to more than one record from the search results page - repeat the preceding using the CCSR theme - And in the staff interface - Go to the review tags tool - Reject a tag - Refresh to verify that the tag was rejected Signed-off-by: Galen Charlton Signed-off-by: Marcel de Rooy Signed-off-by: Jared Camins-Esakov --- .../prog/en/modules/tags/review.tt | 14 ++----------- koha-tmpl/opac-tmpl/ccsr/en/js/tags.js | 20 +++---------------- koha-tmpl/opac-tmpl/prog/en/js/tags.js | 20 +++---------------- opac/opac-tags.pl | 2 +- tags/review.pl | 2 +- 5 files changed, 10 insertions(+), 48 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt index e4af5b0fb9..e1dc69847f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt @@ -73,16 +73,6 @@ td input,td input[type="submit"] { font-size: 85%; padding: 1px; } $('#test_button').removeAttr("disabled"); $('#test_button').attr("value","test"); }; - function readCookie(name) { // from http://www.quirksmode.org/js/cookies.html - var nameEQ = name + "="; - var ca = document.cookie.split(';'); - for(var i=0;i < ca.length;i++) { - var c = ca[i]; - while (c.charAt(0)==' '){ c = c.substring(1,c.length); } - if (c.indexOf(nameEQ) == 0){ return c.substring(nameEQ.length,c.length); } - } - return null; - } $(document).ready(function() { $('.ajax_buttons' ).css({visibility:"visible"}); $("p.check").html(""+_("Select:")+" <\/strong>"+_("All")+"<\/a> "+_("Pending")+"<\/a> "+_("None")+"<\/a>"); @@ -103,7 +93,7 @@ td input,td input[type="submit"] { font-size: 85%; padding: 1px; } // window.alert(_("Click detected on ") + event.target + ": " + $(event.target).html); if ($(event.target).is('.ok')) { $.ajax({ - "data": {ok: $(event.target).attr("title"), CGISESSID: readCookie('CGISESSID')}, + "data": {ok: $(event.target).attr("title")}, "success": count_approve // success_approve }); $(event.target).next(".rej").removeAttr("disabled").attr("value","Reject").css("color","#000"); @@ -112,7 +102,7 @@ td input,td input[type="submit"] { font-size: 85%; padding: 1px; } } if ($(event.target).is('.rej')) { $.ajax({ - "data": {rej: $(event.target).attr("title"), CGISESSID: readCookie('CGISESSID')}, + "data": {rej: $(event.target).attr("title")}, "success": count_reject // success_reject }); $(event.target).prev(".ok").removeAttr("disabled").attr("value","Approve").css("color","#000"); diff --git a/koha-tmpl/opac-tmpl/ccsr/en/js/tags.js b/koha-tmpl/opac-tmpl/ccsr/en/js/tags.js index cffd4bf8a5..5690082ceb 100644 --- a/koha-tmpl/opac-tmpl/ccsr/en/js/tags.js +++ b/koha-tmpl/opac-tmpl/ccsr/en/js/tags.js @@ -4,8 +4,6 @@ if (typeof KOHA == "undefined" || !KOHA) { /** * A namespace for Tags related functions. -* readCookie is expected to already be declared. That's why the assignment below is unscoped. -* readCookie should be from basket.js or undefined. $.ajaxSetup({ url: "/cgi-bin/koha/opac-tags.pl", @@ -13,24 +11,12 @@ $.ajaxSetup({ dataType: "script" }); */ -if (typeof(readCookie) == "undefined") { - readCookie = function (name) { // from http://www.quirksmode.org/js/cookies.html - var nameEQ = name + "="; - var ca = document.cookie.split(';'); - for (var i=0;i < ca.length;i++) { - var c = ca[i]; - while (c.charAt(0)==' '){ c = c.substring(1,c.length); } - if (c.indexOf(nameEQ) == 0){ return c.substring(nameEQ.length,c.length); } - } - return null; - } -} KOHA.Tags = { add_tag_button: function(bibnum, tag){ var mynewtag = "newtag" + bibnum; var mytagid = "#" + mynewtag; - var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID - mydata[mynewtag] = tag; // need [bracket] for variable property id + var mydata = {}; + mydata[mynewtag] = tag; var response; // AJAX from server will assign value to response. $.post( "/cgi-bin/koha/opac-tags.pl", @@ -83,7 +69,7 @@ KOHA.Tags = { // Used to tag multiple items at once. The main difference // is that status is displayed on a per item basis. add_multitags_button : function(bibarray, tag){ - var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID + var mydata = {}; for (var i = 0; i < bibarray.length; i++) { var mynewtag = "newtag" + bibarray[i]; mydata[mynewtag] = tag; diff --git a/koha-tmpl/opac-tmpl/prog/en/js/tags.js b/koha-tmpl/opac-tmpl/prog/en/js/tags.js index f28747faa1..adb2acfff6 100644 --- a/koha-tmpl/opac-tmpl/prog/en/js/tags.js +++ b/koha-tmpl/opac-tmpl/prog/en/js/tags.js @@ -4,8 +4,6 @@ if (typeof KOHA == "undefined" || !KOHA) { /** * A namespace for Tags related functions. -* readCookie is expected to already be declared. That's why the assignment below is unscoped. -* readCookie should be from basket.js or undefined. $.ajaxSetup({ url: "/cgi-bin/koha/opac-tags.pl", @@ -13,24 +11,12 @@ $.ajaxSetup({ dataType: "script" }); */ -if (typeof(readCookie) == "undefined") { - readCookie = function (name) { // from http://www.quirksmode.org/js/cookies.html - var nameEQ = name + "="; - var ca = document.cookie.split(';'); - for (var i=0;i < ca.length;i++) { - var c = ca[i]; - while (c.charAt(0)==' '){ c = c.substring(1,c.length); } - if (c.indexOf(nameEQ) == 0){ return c.substring(nameEQ.length,c.length); } - } - return null; - } -} KOHA.Tags = { add_tag_button: function(bibnum, tag){ var mynewtag = "newtag" + bibnum; var mytagid = "#" + mynewtag; - var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID - mydata[mynewtag] = tag; // need [bracket] for variable property id + var mydata = {}; + mydata[mynewtag] = tag; var response; // AJAX from server will assign value to response. $.post( "/cgi-bin/koha/opac-tags.pl", @@ -83,7 +69,7 @@ KOHA.Tags = { // Used to tag multiple items at once. The main difference // is that status is displayed on a per item basis. add_multitags_button : function(bibarray, tag){ - var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID + var mydata = {}; for (var i = 0; i < bibarray.length; i++) { var mynewtag = "newtag" + bibarray[i]; mydata[mynewtag] = tag; diff --git a/opac/opac-tags.pl b/opac/opac-tags.pl index 3cf1f53e8d..d9f9f3c3fd 100755 --- a/opac/opac-tags.pl +++ b/opac/opac-tags.pl @@ -58,7 +58,7 @@ sub ajax_auth_cgi { # returns CGI object my $needed_flags = shift; my %cookies = fetch CGI::Cookie; my $input = CGI->new; - my $sessid = $cookies{'CGISESSID'}->value || $input->param('CGISESSID'); + my $sessid = $cookies{'CGISESSID'}->value; my ($auth_status, $auth_sessid) = check_cookie_auth($sessid, $needed_flags); $debug and print STDERR "($auth_status, $auth_sessid) = check_cookie_auth($sessid," . Dumper($needed_flags) . ")\n"; diff --git a/tags/review.pl b/tags/review.pl index 23e4cd84df..3b7a0a0b43 100755 --- a/tags/review.pl +++ b/tags/review.pl @@ -41,7 +41,7 @@ sub ajax_auth_cgi ($) { # returns CGI object my $needed_flags = shift; my %cookies = fetch CGI::Cookie; my $input = CGI->new; - my $sessid = $cookies{'CGISESSID'}->value || $input->param('CGISESSID'); + my $sessid = $cookies{'CGISESSID'}->value; my ($auth_status, $auth_sessid) = check_cookie_auth($sessid, $needed_flags); $debug and print STDERR "($auth_status, $auth_sessid) = check_cookie_auth($sessid," . Dumper($needed_flags) . ")\n"; -- 2.39.5