From cc79f24bcaa9b660e95745a8613d4a2feabddb1f Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 8 Mar 2024 16:06:11 +0100 Subject: [PATCH] Bug 36149: Unset userenv from middleware MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The userenv (logged in user's info) are stored in $C4::Context->context->{activeuser}, which persists in plack worker's memory. It's really bad in theory as we are not cleaning it before or after the HTTP request, but only when set_userenv is called (what we are doing commonly in C4::Auth::get_template_and_user). If C4::Context->userenv is called before set_userenv we should get undef, not the userenv from the previous request! In practice this should not be a problem, but well... who really knows? This patch suggests to have a middleware to deal with removing the userenv at the beginning of each request (maybe it should be after, right? - FIXME). To test: 1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set 1 2 - Edit about.pl and add a line after: CGI->new: warn Data::Dumper::Dumper( C4::Cointext->userenv() ); 3 - tail -f /var/log/koha/kohadev/*.log 4 - View about.pl in staff interface, should get a "somethign's wrong" warning 5 - Reload, you get current user info 6 - Open an incognito tab, sign in as a different user and click some stuff 7 - Reload about.pl in other window 8 - You get the opac user info 9 - Apply patch 10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP": enable "+Koha::Middleware::UserEnv"; 11 - Restart all 12 - Reload about.pl - you get a "Something's wrong" warning 13 - Click things in opac on incognito window 14 - Reload about.pl - only "Something's wrong" - you no longer see any user info Signed-off-by: Nick Clemens Signed-off-by: Kyle M Hall (cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4) Signed-off-by: Fridolin Somers (cherry picked from commit 3dd1cdd74ff004d1d218366a377fc91d8ae4e21d) Signed-off-by: Frédéric Demians --- C4/Context.pm | 3 +-- Koha/Middleware/UserEnv.pm | 18 ++++++++++++++++++ debian/templates/plack.psgi | 1 + 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 Koha/Middleware/UserEnv.pm diff --git a/C4/Context.pm b/C4/Context.pm index 6406f340ec..ecdb323d65 100644 --- a/C4/Context.pm +++ b/C4/Context.pm @@ -837,8 +837,7 @@ Destroys the hash for activeuser user environment variables. sub _unset_userenv { - my ($sessionID)= @_; - undef $context->{activeuser} if $sessionID && $context->{activeuser} && $context->{activeuser} eq $sessionID; + delete $context->{activeuser}; } diff --git a/Koha/Middleware/UserEnv.pm b/Koha/Middleware/UserEnv.pm new file mode 100644 index 0000000000..03d515fdcf --- /dev/null +++ b/Koha/Middleware/UserEnv.pm @@ -0,0 +1,18 @@ +package Koha::Middleware::UserEnv; +use Modern::Perl; + +use parent qw(Plack::Middleware); + +use C4::Context; + +sub call { + my ( $self, $env ) =@_; + + my $req = Plack::Request->new($env); + + C4::Context->_unset_userenv; + + return $self->app->($env); +} + +1; diff --git a/debian/templates/plack.psgi b/debian/templates/plack.psgi index 89cd6ef48f..d4a0cfb725 100644 --- a/debian/templates/plack.psgi +++ b/debian/templates/plack.psgi @@ -73,6 +73,7 @@ builder { enable "Plack::Middleware::Static"; # + is required so Plack doesn't try to prefix Plack::Middleware:: + enable "+Koha::Middleware::UserEnv"; enable "+Koha::Middleware::SetEnv"; enable "+Koha::Middleware::RealIP"; -- 2.39.5