]> git.koha-community.org Git - koha.git/commit
Bug 18956: Prevent leaking during password recovery
authorMark Tompsett <mtompset@hotmail.com>
Fri, 25 Aug 2017 19:09:38 +0000 (15:09 -0400)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 27 Oct 2017 13:59:05 +0000 (10:59 -0300)
commite08a0afa264f55294bda4a5d949012ad60639616
tree880a0504900d6be2112750ebb89286d5e21fe4e6
parent570eb4026642f71e462c7746a9c91721aa9334c1
Bug 18956: Prevent leaking during password recovery

TEST PLAN
---------

It is assumed you have set the OpacResetPassword to 'allowed',
and likely in combination with OpacPasswordChange to 'Allowed'.

You will have two patrons: one with and another without
any email address entered. You will want to test this test plan
with both patrons.

$ git checkout -b bug_18956 origin/master

Prepend the following as understood between step sections:
opac -> forgot password and then enter...

correct login/cardnumber, it will email
delete from borrower_password_recovery;

correct email, it will email
delete from borrower_password_recovery;

correct login/cardnumber && correct email, it will email
delete from borrower_password_recovery;

wrong login/cardnumber && correct email, error page as expected
delete from borrower_password_recovery;

correct login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

wrong login/cardnumber && wrong email, error page as expected
delete from borrower_password_recovery;

submit empty -- INTERNAL SERVER ERROR?!
delete from borrower_password_recovery;

-- None of the above step sections displayed email.

correct login/cardnumber, it will email

correct login/cardnumber again, but it leaks email address!
delete from borrower_password_recovery;

correct email, it will email

correct email again, but it leaks login/cardnumber!
delete from borrower_password_recovery;

$ git bz apply 18956
-- choose interactive, and choose this counter patch.

repeat the same test set again
-- no leaks will occur, error message pages returned should
   be reasonable, code should read reasonably.

run koha qa test tools.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt
opac/opac-password-recovery.pl