Hi,
I'm a bit late on the topic but I had a look at the different bugs and
patches during hackfest (mainly because it didn't work for me, I will
open a new bug report for that).
There is something in it that seems to cause bugs and I don't see a
reason for it: it's the "cud-" thing.
As I understand it, now every request that create/update/delete
something should be POST (or PUT/DELETE/PATCH) requests and have an 'op'
parameter whose value start with 'cud-' and all other requests should be
GET (or OPTIONS/TRACE/HEAD) requests and if they have an 'op' parameter
it should not start with "cud-".
Why do we need the "cud-" prefix if we can use the HTTP method for
detecting which requests need to be protected ?
What seems strange is that the current implementation will allow a POST
request without an 'op' parameter, but will block a POST request with an
'op' parameter that does not start with 'cud-'.
It looks like we could get rid of this prefix check without losing
anything. What did I miss ?
Le 04/03/2024 à 08:37, Marcel de Rooy via Koha-devel a écrit :
Great work!
*From:*Koha-devel <koha-devel-boun...@lists.koha-community.org> *On
Behalf Of *Nick Clemens via Koha-devel
*Sent:* Friday, March 1, 2024 2:26 PM
*To:* Koha Devel <koha-devel@lists.koha-community.org>; Koha
<k...@lists.katipo.co.nz>
*Subject:* [Koha-devel] Koha CSRF protection
Hello all!
We have pushed the CSRF work from 34478 and related bugs today. We know
there are more follow-ups needed, and have filed a series of bugs under
an omnibus:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192
<https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36192>
We have a framapad where issues can be reported/found:
https://annuel.framapad.org/p/koha_34478_remaining
<https://annuel.framapad.org/p/koha_34478_remaining>
And we have bugs for each of the sections of the document. We need all
developers to submit patches when they encounter issues, and for other
users testing master to report found issues on the pad. Testers can
report issues on the pad as well.
There is a new coding guideline - all POSTs to forms in Koha will need
to include a csrf token:
https://wiki.koha-community.org/wiki/Coding_Guidelines#Security
<https://wiki.koha-community.org/wiki/Coding_Guidelines#Security>
This has been a big work, many thanks to all involved, and there is
still work to be done, but this is an important fix that we must do.
You can reach out to me on IRC (kidclamp) or via email and I will do my
best to help anyone contribute.
Thanks,
Nick
--
Nick Clemens
ByWater Solutions
bywatersolutions.com <http://bywatersolutions.com/>
Phone: (888) 900-8944
Pronouns: (he/him/his)
Timezone: Eastern
Follow us:
<https://www.facebook.com/ByWaterSolutions/>
<https://www.instagram.com/bywatersolutions/>
<https://www.youtube.com/user/bywatersolutions>
<https://twitter.com/ByWaterSolution>
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
