Ohhh I forgot that .pl scripts almost never check for the HTTP method...
That's the thing I was missing. Thanks!
Le 2024-04-13 10:24, Tomas Cohen Arazi a écrit :
The thing is we don't have a spec for each endpoint as we do for the
API.
So people could be tricked to send a GET with a similar fo
The thing is we don't have a spec for each endpoint as we do for the API.
So people could be tricked to send a GET with a similar form, to an
endpoint (the .pl script) and bypass the generic CSRF check we do.
Also, this ways programmers and the QA team have a simpler way to detect
state-changing w
My point is: since all POST (and other unsafe methods) requests are
protected and require a CSRF token, why does Koha have a requirement on
the 'op' parameter for those requests ? It seems redundant and can cause
unnecessary failure (I can't POST with 'op=search' even with a valid
CSRF token, I
We want to know which requests to protect (ie. Requiring a csrf token):
those having a op starting with cud-
Otherwise you could GET something that should be POSTed.
I've tried to describe this change as best as I could on the wiki, please
adjust if it's not clear enough.
https://wiki.koha-communit
Hi,
I'm a bit late on the topic but I had a look at the different bugs and
patches during hackfest (mainly because it didn't work for me, I will
open a new bug report for that).
There is something in it that seems to cause bugs and I don't see a
reason for it: it's the "cud-" thing.
As I u
Great work!
From: Koha-devel On Behalf Of
Nick Clemens via Koha-devel
Sent: Friday, March 1, 2024 2:26 PM
To: Koha Devel ; Koha
Subject: [Koha-devel] Koha CSRF protection
Hello all!
We have pushed the CSRF work from 34478 and related bugs today. We know there
are more follow-ups needed, and
Congrats team!
El vie, 1 mar 2024 a las 10:26, Nick Clemens via Koha-devel (<
koha-devel@lists.koha-community.org>) escribió:
> Hello all!
>
> We have pushed the CSRF work from 34478 and related bugs today. We know
> there are more follow-ups needed, and have filed a series of bugs under an
> omn
