git.koha-community.org Git - koha.git/commit

author	Magnus Enger <magnus@libriotech.no>
	Fri, 6 Sep 2019 07:54:04 +0000 (09:54 +0200)
committer	Lucas Gass <lucas@bywatersolutions.com>
	Fri, 22 Nov 2019 17:32:02 +0000 (17:32 +0000)
commit	1d27831bcc648c223a676ec6f0ebb7f892758ec1
tree	9e7b255df08a80d454c30796768689dd64b2b8aa	tree \| snapshot
parent	c2ba205097bb4dcfda42713f39debc73716c6e5b	commit \| diff

Bug 22543: Prevent "back and refresh attack"

To reproduce and test:
- Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click "Back", you are taken to /cgi-bin/koha/opac-user.pl
- Reload the page, you see an error like "Confirm new submission
  of form"
- Reload the page again and confirm the submission of the form
- You are now logged in to the OPAC again!
- Log out again
- Apply this patch
- Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl
- Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1
- Click back, you are taken to /cgi-bin/koha/opac-user.pl
- No matter how many times you reload /cgi-bin/koha/opac-user.pl,
  you should not see anything other than the login form.
- Check that Self Check Out still works as it should, by making
  sure you have a user with self_check permissions, then setting
  WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and
  AutoSelfCheckPass appropriately. Then visit
  /cgi-bin/koha/sco/sco-main.pl and verify everything works as
  expected.

The messages and errors pages you see related to resubmitting the
form might differ from the ones described here, depending on what
browser you use. I tested in Chromium 76.0.x.

This fix was originally proposed by LMSCloud:
https://github.com/LMSCloud/Koha-LMSCloud/commit/74a7fe0f0c5b2ce0d65bd26452c6dcaf0a7f65ad

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>