]> git.koha-community.org Git - koha.git/commit
Bug 18956: Prevent leaking during password recovery
authorMark Tompsett <mtompset@hotmail.com>
Fri, 25 Aug 2017 19:09:38 +0000 (15:09 -0400)
committerKatrin Fischer <katrin.fischer.83@web.de>
Sun, 22 Oct 2017 21:41:55 +0000 (21:41 +0000)
commit0e2472abaf7d17e86b27b3e9211ff32ab4e526f6
treec8f3ee64dbdb6a1eec31940c9380172ae743b364
parent8435688b2c3d35ed0ee5375841f8d17ab1c3d89c
Bug 18956: Prevent leaking during password recovery

TEST PLAN
---------

It is assumed you have set the OpacResetPassword to 'allowed',
and likely in combination with OpacPasswordChange to 'Allowed'.

You will have two patrons: one with and another without
any email address entered. You will want to test this test plan
with both patrons.

$ git checkout -b bug_18956 origin/master

Prepend the following as understood between step sections:
opac -> forgot password and then enter...

correct login/cardnumber, it will email
delete from borrower_password_recovery;

correct email, it will email
delete from borrower_password_recovery;

correct login/cardnumber && correct email, it will email
delete from borrower_password_recovery;

wrong login/cardnumber && correct email, error page as expected
delete from borrower_password_recovery;

correct login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

wrong login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

submit empty -- INTERNAL SERVER ERROR?!
delete from borrower_password_recovery;

-- None of the above step sections displayed email.

correct login/cardnumber, it will email

correct login/cardnumber again, but it leaks email address!
delete from borrower_password_recovery;

correct email, it will email

correct email again, but it leaks login/cardnumber!
delete from borrower_password_recovery;

$ git bz apply 18956
-- choose interactive, and choose this counter patch.

repeat the same test set again
-- no leaks will occur, error message pages returned should
   be reasonable, code should read reasonably.

run koha qa test tools.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt
opac/opac-password-recovery.pl