From 480a1b31899c0f067b6785566e3dbe1f6316ecb1 Mon Sep 17 00:00:00 2001 From: Magnus Enger Date: Fri, 6 Sep 2019 09:54:04 +0200 Subject: [PATCH] Bug 22543: Prevent "back and refresh attack" To reproduce and test: - Log into the OPAC, you are taken to /cgi-bin/koha/opac-user.pl - Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1 - Click "Back", you are taken to /cgi-bin/koha/opac-user.pl - Reload the page, you see an error like "Confirm new submission of form" - Reload the page again and confirm the submission of the form - You are now logged in to the OPAC again! - Log out again - Apply this patch - Log in to the OPAC, you are taken to /cgi-bin/koha/opac-user.pl - Log out, you are taken to /cgi-bin/koha/opac-main.pl?logout.x=1 - Click back, you are taken to /cgi-bin/koha/opac-user.pl - No matter how many times you reload /cgi-bin/koha/opac-user.pl, you should not see anything other than the login form. - Check that Self Check Out still works as it should, by making sure you have a user with self_check permissions, then setting WebBasedSelfCheck, AutoSelfCheckAllowed, AutoSelfCheckID and AutoSelfCheckPass appropriately. Then visit /cgi-bin/koha/sco/sco-main.pl and verify everything works as expected. The messages and errors pages you see related to resubmitting the form might differ from the ones described here, depending on what browser you use. I tested in Chromium 76.0.x. This fix was originally proposed by LMSCloud: https://github.com/LMSCloud/Koha-LMSCloud/commit/74a7fe0f0c5b2ce0d65bd26452c6dcaf0a7f65ad Signed-off-by: Owen Leonard Signed-off-by: Marcel de Rooy Signed-off-by: Martin Renvoize --- C4/Auth.pm | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index 913aaa2ea2..70950261e6 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1209,6 +1209,18 @@ sub checkauth { ); } + # In case, that this request was a login attempt, we want to prevent that users can repost the opac login + # request. We therefore redirect the user to the requested page again without the login parameters. + # See Post/Redirect/Get (PRG) design pattern: https://en.wikipedia.org/wiki/Post/Redirect/Get + if ( $type eq "opac" && $query->param('koha_login_context') && $query->param('koha_login_context') ne 'sco' && $query->param('password') && $query->param('userid') ) { + my $uri = URI->new($query->url(-relative=>1, -query_string=>1)); + $uri->query_param_delete('userid'); + $uri->query_param_delete('password'); + $uri->query_param_delete('koha_login_context'); + print $query->redirect(-uri => $uri->as_string, -cookie => $cookie, -status=>'303 See other'); + exit; + } + track_login_daily( $userid ); return ( $userid, $cookie, $sessionID, $flags ); -- 2.39.5