git.koha-community.org Git - koha.git/commit

author	Julian Maurice <julian.maurice@biblibre.com>
	Fri, 12 Apr 2024 13:08:17 +0000 (15:08 +0200)
committer	Lucas Gass <lucas@bywatersolutions.com>
	Mon, 30 Sep 2024 15:28:47 +0000 (15:28 +0000)
commit	84054b932cfbc9afc736311efe01ae083341cfe5
tree	8d4f113a0b385e7843432e738109b2db91493a4e	tree \| snapshot
parent	ae84680c4d89eee031ba1bcb02c44db10f93bb9c	commit \| diff

Bug 36598: Enable CSRF protection for Mojolicious apps

Test plan:
1. Run bin/opac daemon -l http://*:3001/
2. Go to http://localhost:3001/cgi-bin/koha/opac-user.pl
3. With browser devtools, locate csrf_token hidden input within the
   login form and remove it or modify it
4. Try to submit the form with correct credentials, it should fail
   ("Wrong CSRF token")
5. Reload the page, try to log in normally without modifying the DOM, it
   should succeed
6. Run bin/intranet daemon -l http://*:3002/
7. Go to http://localhost:3002/cgi-bin/koha/mainpage.pl
8. With browser devtools, locate csrf_token hidden input within the
   login form and remove it or modify it
9. Try to submit the form with correct credentials, it should fail
   ("Wrong CSRF token")
10. Reload the page, try to log in normally without modifying the DOM,
    it should succeed
11. Run prove t/db_dependent/mojo/csrf.t

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Koha/App/Intranet.pm		diff \| blob \| history
Koha/App/Opac.pm		diff \| blob \| history
Koha/App/Plugin/CSRF.pm	[new file with mode: 0644]	blob
t/db_dependent/mojo/csrf.t	[new file with mode: 0755]	blob