From e6a1d65c9a0fe36c7c604613f9791e2b25149c08 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 27 Aug 2024 01:48:58 +0000 Subject: [PATCH] Bug 37741: Do not send cookie back from error pages This change stops the cookie from being sent back from error pages, so that backcalls that cause errors don't overwrite the existing cookie used by the foreground request page. Test plan: 0. Apply the patch and koha-plack --reload kohadev 1. Set syspref IntranetFavicon to http://localhost:8081/cgi-bin/koha/bad.jpg 2. Open browser developer tools 3. Go to http://localhost:8081/cgi-bin/koha/mainpage.pl 4. Open the Network tab, disable the cache, and shift refresh 5. Notice that bad.jpg fails to load with a 404 6. Try to login to Koha 7. Confirm login works *. Extra points if you note that the cookie returned by the first mainpage.pl request is used for the bad.jpg lookup and the second mainpage.pl request. Signed-off-by: David Nind Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer --- errors/400.pl | 3 +++ errors/401.pl | 2 ++ errors/402.pl | 2 ++ errors/403.pl | 2 ++ errors/404.pl | 3 +++ errors/500.pl | 2 ++ opac/errors/400.pl | 2 ++ opac/errors/401.pl | 2 ++ opac/errors/402.pl | 2 ++ opac/errors/403.pl | 2 ++ opac/errors/404.pl | 2 ++ opac/errors/500.pl | 2 ++ 12 files changed, 26 insertions(+) diff --git a/errors/400.pl b/errors/400.pl index 0bddd49fc8..8ae328dcce 100755 --- a/errors/400.pl +++ b/errors/400.pl @@ -41,4 +41,7 @@ my $status = '400 Bad Request'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } + +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/errors/401.pl b/errors/401.pl index f5761fcb35..4b8f748cf5 100755 --- a/errors/401.pl +++ b/errors/401.pl @@ -40,4 +40,6 @@ my $status = '401 Unauthorized'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/errors/402.pl b/errors/402.pl index 835aed3ea3..b9d3444368 100755 --- a/errors/402.pl +++ b/errors/402.pl @@ -41,4 +41,6 @@ my $status = '402 Payment Required'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/errors/403.pl b/errors/403.pl index b83c014de8..c75c2a5293 100755 --- a/errors/403.pl +++ b/errors/403.pl @@ -43,4 +43,6 @@ my $status = '403 Forbidden'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/errors/404.pl b/errors/404.pl index 049db4aa40..a375d8d8cb 100755 --- a/errors/404.pl +++ b/errors/404.pl @@ -41,4 +41,7 @@ my $status = '404 Not Found'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } + +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/errors/500.pl b/errors/500.pl index 26dab6f93b..5f216dd61b 100755 --- a/errors/500.pl +++ b/errors/500.pl @@ -41,4 +41,6 @@ my $status = '500 Internal Server Error'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/opac/errors/400.pl b/opac/errors/400.pl index 7d3a63ca2d..e34e18c092 100755 --- a/opac/errors/400.pl +++ b/opac/errors/400.pl @@ -41,4 +41,6 @@ my $status = '400 Bad Request'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/opac/errors/401.pl b/opac/errors/401.pl index abd65d72a6..432691859b 100755 --- a/opac/errors/401.pl +++ b/opac/errors/401.pl @@ -41,4 +41,6 @@ my $status = '401 Unauthorized'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/opac/errors/402.pl b/opac/errors/402.pl index 3ba2d62b50..edc710860b 100755 --- a/opac/errors/402.pl +++ b/opac/errors/402.pl @@ -41,4 +41,6 @@ my $status = '402 Payment Required'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/opac/errors/403.pl b/opac/errors/403.pl index 4d7dc16d7f..3a3fb24118 100755 --- a/opac/errors/403.pl +++ b/opac/errors/403.pl @@ -43,4 +43,6 @@ my $status = '403 Forbidden'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/opac/errors/404.pl b/opac/errors/404.pl index e07e056853..4d4b687385 100755 --- a/opac/errors/404.pl +++ b/opac/errors/404.pl @@ -41,4 +41,6 @@ my $status = '404 Not Found'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; diff --git a/opac/errors/500.pl b/opac/errors/500.pl index c25f848211..b0985be6bf 100755 --- a/opac/errors/500.pl +++ b/opac/errors/500.pl @@ -41,4 +41,6 @@ my $status = '500 Internal Server Error'; if ( C4::Context->is_internal_PSGI_request() ) { $status = '200 OK'; } +#NOTE: We're not setting/updating the cookie here +$cookie = ''; output_with_http_headers $query, $cookie, $template->output, 'html', $status; -- 2.39.5