]> git.koha-community.org Git - koha.git/commit
Bug 36598: Enable CSRF protection for Mojolicious apps
authorJulian Maurice <julian.maurice@biblibre.com>
Fri, 12 Apr 2024 13:08:17 +0000 (15:08 +0200)
committerKatrin Fischer <katrin.fischer@bsz-bw.de>
Fri, 18 Oct 2024 10:07:47 +0000 (12:07 +0200)
commite61b92c8ddf425a6e5dcc20ddba1adb040c00147
tree9d69f46d95b2d557f3e477d36fc8ff8f882b7a8a
parent8269ac3d1e234bebd0e93687c2139a084621929c
Bug 36598: Enable CSRF protection for Mojolicious apps

Test plan:
1. Run bin/opac daemon -l http://*:3001/
2. Go to http://localhost:3001/cgi-bin/koha/opac-user.pl
3. With browser devtools, locate csrf_token hidden input within the
   login form and remove it or modify it
4. Try to submit the form with correct credentials, it should fail
   ("Wrong CSRF token")
5. Reload the page, try to log in normally without modifying the DOM, it
   should succeed
6. Run bin/intranet daemon -l http://*:3002/
7. Go to http://localhost:3002/cgi-bin/koha/mainpage.pl
8. With browser devtools, locate csrf_token hidden input within the
   login form and remove it or modify it
9. Try to submit the form with correct credentials, it should fail
   ("Wrong CSRF token")
10. Reload the page, try to log in normally without modifying the DOM,
    it should succeed
11. Run prove t/db_dependent/mojo/csrf.t

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Koha/App/Intranet.pm
Koha/App/Opac.pm
Koha/App/Plugin/CSRF.pm [new file with mode: 0644]
t/db_dependent/mojo/csrf.t [new file with mode: 0755]