git.koha-community.org Git - koha.git/commit

author	MJ Ray <mjr@phonecoop.coop>
	Wed, 3 Mar 2021 17:54:42 +0000 (17:54 +0000)
committer	Arthur Suzuki <arthur.suzuki@biblibre.com>
	Wed, 12 Oct 2022 13:08:57 +0000 (15:08 +0200)
commit	cb12e41de150090704229d2170262b9dd8fe15bf
tree	f9c9e06498003a883d17797bf48d61bd089e5f9c	tree \| snapshot
parent	b2c9d74ec7f32db82dc14d42a66238d5c23d8641	commit \| diff

Bug 27849: Koha::Token may access undefined C4::Context->userenv

The _add_default_csrf_params internal function accesses
C4::Context->userenv without checking that it has been defined. I think
not all of the potential callers of it declare that they require a
defined userenv, so we should test and provide defaults for required
values if it is not defined, to avoid some "Can't use an undefined value
as a HASH reference" HTTP 500 Internal Server Errors.

To test:

Do anything that requires a form with CSRF token, such as editing your
details. Behaviour should be unchanged. To test the failure case, you
would need some customised code that indirectly generates a CSRF token
before setting the userenv up and I am not sure there is any in released
Koha yet.

Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Looks good to me. Working as expected.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 8c45fe1aaa54fd9d6ff84617df0bb94b4cfbbb12)

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit a48cf3c941dbd406f3791a8e29c58853e2b80ba1)
Signed-off-by: Arthur Suzuki <arthur.suzuki@biblibre.com>