From da9006b20dc7439259043822902e05d392df7351 Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 24 Dec 2020 01:24:08 +0000 Subject: [PATCH] Bug 21325: Prevent authentication when sending userid and password in querystring This patch permits authentication via userid/password only when the HTTP method is POST when using C4::Auth::checkauth(). The goal is to stop people from supplying userid and password in querystrings in order to log into web pages. Test plan: 0. Do not apply patch yet 1. Open a new browser (ie we don't want any existing CGISESSID cookies available - opening a new tab/window isn't enough. It must be a new instance or you can clear your cookies) 2. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha 3. Note the user has been logged in and is being asked to confirm hold. 4. Apply the patch 5. Go to http://localhost:8080/cgi-bin/koha/opac-reserve.pl?biblionumber=29&userid=koha&password=koha 6. Note the user is not logged in and the user is presented with a login screen Signed-off-by: Owen Leonard Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- C4/Auth.pm | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 8368dd82ff..1d79561533 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1093,10 +1093,13 @@ sub checkauth { } else { my $retuserid; - ( $return, $cardnumber, $retuserid, $cas_ticket ) = - checkpw( $dbh, $q_userid, $password, $query, $type ); - $userid = $retuserid if ($retuserid); - $info{'invalid_username_or_password'} = 1 unless ($return); + my $request_method = $query->request_method(); + if ($request_method eq 'POST'){ + ( $return, $cardnumber, $retuserid, $cas_ticket ) = + checkpw( $dbh, $q_userid, $password, $query, $type ); + $userid = $retuserid if ($retuserid); + $info{'invalid_username_or_password'} = 1 unless ($return); + } } } -- 2.39.5