From f287fdfd81a2b0c1868c7d089b99ffee4d2e62b3 Mon Sep 17 00:00:00 2001
From: Fridolin Somers <fridolin.somers@biblibre.com>
Date: Tue, 3 Nov 2020 09:19:34 +0100
Subject: [PATCH] Bug 26904: OPAC password recovery allows regexp in email

When using OPAC password recovery form, opac/opac-password-recovery.pl :
if one provides correct login and an email, there is a check that this email is one of patron's.

This check uses RegExp with case insensitive :
  if ( $email && !( any { /^$email$/i } @emails ) )

This is a security issue since one can simply enter '.*'.
Severity is normal because the login must be a correct.

I propose to use simple string compare with lowercase to be case insensitive.

Test plan :
1) Don't apply patch
2) Enable system preference 'OpacResetPassword'
3) Go to 'OPAC > Log in to your account > Forgot your password?'
4) Enter an existing userid or cardnumber and '.*' in 'Email'
5) The password recovery is created ! (check table 'borrower_password_recovery')
6) Apply patch
7) Enter an existing userid or cardnumber and '.*' in 'Email'
8) You get the message 'No account was found with the provided information.'
9) Enter an existing userid or cardnumber and in 'Email' the corresponding email but with different case
10) The password recovery is created (check table 'borrower_password_recovery')

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 904e926ba0f407b24aa3d94be5afe37b5e3ec075)

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 57a9bf3ef2e4f25227a10f16cec7fb34e162199e)

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
---
 opac/opac-password-recovery.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/opac/opac-password-recovery.pl b/opac/opac-password-recovery.pl
index a695165b56..0a54fc24f2 100755
--- a/opac/opac-password-recovery.pl
+++ b/opac/opac-password-recovery.pl
@@ -85,7 +85,7 @@ if ( $query->param('sendEmail') || $query->param('resendEmail') ) {
             $firstNonEmptyEmail = $emails[0] if @emails;
 
             # Is the given email one of the borrower's ?
-            if ( $email && !( any { /^$email$/i } @emails ) ) {
+            if ( $email && !( any { lc($_) eq lc($email) } @emails ) ) {
                 $hasError    = 1;
                 $errNoBorrowerFound = 1;
             }
-- 
2.20.1