From cb12e41de150090704229d2170262b9dd8fe15bf Mon Sep 17 00:00:00 2001 From: MJ Ray Date: Wed, 3 Mar 2021 17:54:42 +0000 Subject: [PATCH] Bug 27849: Koha::Token may access undefined C4::Context->userenv The _add_default_csrf_params internal function accesses C4::Context->userenv without checking that it has been defined. I think not all of the potential callers of it declare that they require a defined userenv, so we should test and provide defaults for required values if it is not defined, to avoid some "Can't use an undefined value as a HASH reference" HTTP 500 Internal Server Errors. To test: Do anything that requires a form with CSRF token, such as editing your details. Behaviour should be unchanged. To test the failure case, you would need some customised code that indirectly generates a CSRF token before setting the userenv up and I am not sure there is any in released Koha yet. Signed-off-by: Paul Derscheid Looks good to me. Working as expected. Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 8c45fe1aaa54fd9d6ff84617df0bb94b4cfbbb12) Signed-off-by: Lucas Gass (cherry picked from commit a48cf3c941dbd406f3791a8e29c58853e2b80ba1) Signed-off-by: Arthur Suzuki --- Koha/Token.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Koha/Token.pm b/Koha/Token.pm index f4334a7223..866bfc3ae4 100644 --- a/Koha/Token.pm +++ b/Koha/Token.pm @@ -214,7 +214,11 @@ sub _add_default_csrf_params { my ( $params ) = @_; $params->{session_id} //= ''; if( !$params->{id} ) { - $params->{id} = Encode::encode( 'UTF-8', C4::Context->userenv->{id} . $params->{session_id} ); + if( defined( C4::Context->userenv ) ) { + $params->{id} = Encode::encode( 'UTF-8', C4::Context->userenv->{id} . $params->{session_id} ); + } else { + $params->{id} = Encode::encode( 'UTF-8', $params->{session_id} ); + } } else { $params->{id} .= $params->{session_id}; } -- 2.39.5