git.koha-community.org Git - koha.git/commit

author	Julian Maurice <julian.maurice@biblibre.com>
	Fri, 12 Apr 2024 13:08:17 +0000 (15:08 +0200)
committer	Katrin Fischer <katrin.fischer@bsz-bw.de>
	Fri, 18 Oct 2024 10:07:47 +0000 (12:07 +0200)
commit	e61b92c8ddf425a6e5dcc20ddba1adb040c00147
tree	9d69f46d95b2d557f3e477d36fc8ff8f882b7a8a	tree \| snapshot
parent	8269ac3d1e234bebd0e93687c2139a084621929c	commit \| diff

Bug 36598: Enable CSRF protection for Mojolicious apps

Test plan:
1. Run bin/opac daemon -l http://*:3001/
2. Go to http://localhost:3001/cgi-bin/koha/opac-user.pl
3. With browser devtools, locate csrf_token hidden input within the
   login form and remove it or modify it
4. Try to submit the form with correct credentials, it should fail
   ("Wrong CSRF token")
5. Reload the page, try to log in normally without modifying the DOM, it
   should succeed
6. Run bin/intranet daemon -l http://*:3002/
7. Go to http://localhost:3002/cgi-bin/koha/mainpage.pl
8. With browser devtools, locate csrf_token hidden input within the
   login form and remove it or modify it
9. Try to submit the form with correct credentials, it should fail
   ("Wrong CSRF token")
10. Reload the page, try to log in normally without modifying the DOM,
    it should succeed
11. Run prove t/db_dependent/mojo/csrf.t

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Koha/App/Intranet.pm		diff \| blob \| history
Koha/App/Opac.pm		diff \| blob \| history
Koha/App/Plugin/CSRF.pm	[new file with mode: 0644]	blob
t/db_dependent/mojo/csrf.t	[new file with mode: 0755]	blob