From 9d811184fef4c7db64f616bd631991aef503a8a9 Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Thu, 13 Dec 2018 14:56:22 -0500 Subject: [PATCH] Bug 21997: SIP patron information requests can lock patron out of account Many SIP services send an empty password field (AD). Even if allow_empty_passwords is enabled for the given SIP account, this empty password is run though Koha's password checker which increments the number of login attempts for a patron. Thus repeated patron information requests can lock a patron out! Empty password fields in SIP should not call for a password check if allow_empty_passwords is enabled. Test Plan: 1) Enable a patron password attempt with a limit of 3 2) Send 4 patron information requests with an empty AD field 3) Note the patron's account is now locked 4) Apply this patch 5) Repeat step 2 with a different patron 6) Note the patron's account does not get locked! Signed-off-by: Charles Farmer Signed-off-by: Martin Renvoize Signed-off-by: Nick Clemens (cherry picked from commit fac2c172143b31255767684e4b22c0ba1ae0aaaf) Signed-off-by: Martin Renvoize --- C4/SIP/Sip/MsgType.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/C4/SIP/Sip/MsgType.pm b/C4/SIP/Sip/MsgType.pm index 9ec126ed12..43b02d29ab 100644 --- a/C4/SIP/Sip/MsgType.pm +++ b/C4/SIP/Sip/MsgType.pm @@ -965,9 +965,10 @@ sub handle_patron_info { if ( defined($patron_pwd) ) { # If patron password was provided, report whether it was right or not. - $password_rc = $patron->check_password($patron_pwd); if ( $patron_pwd eq q{} && $server->{account}->{allow_empty_passwords} ) { $password_rc = 1; + } else { + $password_rc = $patron->check_password($patron_pwd); } $resp .= add_field( FID_VALID_PATRON_PWD, sipbool( $password_rc ) ); } -- 2.39.5