From 07ce7d8d3b3d3144ce088729e2b402cc6eaeeba5 Mon Sep 17 00:00:00 2001
From: Matthias Meusburger <matthias.meusburger@biblibre.com>
Date: Fri, 5 Feb 2010 12:00:15 +0100
Subject: [PATCH] Bug 5995 : MT2892: Fix security issue in CAS intranet login

Users could log in intranet using their cardnumber, with superlibrarian
rights.

Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
---
 C4/Auth.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 57d9880b6f..b33f677428 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -750,7 +750,7 @@ sub checkauth {
 		    $info{'invalidCasLogin'} = 1 unless ($return);
         	} else {
 		    my $retuserid;
-		    ( $return, $cardnumber, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
+		    ( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
 		    $userid = $retuserid if ($retuserid ne '');
 		}
 		if ($return) {
@@ -1452,7 +1452,7 @@ sub checkpw {
 
             C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber,
                 $firstname, $surname, $branchcode, $flags );
-            return 1, $cardnumber, $userid;
+            return 1, $userid;
         }
     }
     $sth =
-- 
2.39.5