Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

bug 9401: remove direct reads of CGISESSID cookie by JavaScript

Having embedded JavaScript read the session cookie directly
is unnecessary and prevents the CGISESSID cookie being marked
httpOnly as a security measure.  The only Koha JS attempting
this was the AJAX tags code.

To test:

- In general, verify that there are no regression withs
  adding tags in the OPAC or reviewing them in the staff interface.
- In specific, for the OPAC
  - log into the OPAC
  - retrieve a bib record
  - add a tag
  - refresh the bib details page to verify that the
    tag was added
  - make sure the TagsInputOnList syspref is on
  - perform a search
  - add a tag to more than one record from the search results page
  - repeat the preceding using the CCSR theme
- And in the staff interface
  - Go to the review tags tool
  - Reject a tag
  - Refresh to verify that the tag was rejected

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
  • Loading branch information...
commit 6c1da551eae66936837c368cae88845a7ab9a686 1 parent 0db3ccc
@gmcharlt gmcharlt authored jcamins committed
View
14 koha-tmpl/intranet-tmpl/prog/en/modules/tags/review.tt
@@ -73,16 +73,6 @@ td input,td input[type="submit"] { font-size: 85%; padding: 1px; }
$('#test_button').removeAttr("disabled");
$('#test_button').attr("value","test");
};
- function readCookie(name) { // from http://www.quirksmode.org/js/cookies.html
- var nameEQ = name + "=";
- var ca = document.cookie.split(';');
- for(var i=0;i < ca.length;i++) {
- var c = ca[i];
- while (c.charAt(0)==' '){ c = c.substring(1,c.length); }
- if (c.indexOf(nameEQ) == 0){ return c.substring(nameEQ.length,c.length); }
- }
- return null;
- }
$(document).ready(function() {
$('.ajax_buttons' ).css({visibility:"visible"});
$("p.check").html("<strong>"+_("Select:")+" <\/strong><a id=\"CheckAll\" href=\"/cgi-bin/koha/tags/review.pl\">"+_("All")+"<\/a> <a id=\"CheckPending\" href=\"/cgi-bin/koha/tags/review.pl\">"+_("Pending")+"<\/a> <a id=\"CheckNone\" href=\"/cgi-bin/koha/tags/review.pl\">"+_("None")+"<\/a>");
@@ -103,7 +93,7 @@ td input,td input[type="submit"] { font-size: 85%; padding: 1px; }
// window.alert(_("Click detected on ") + event.target + ": " + $(event.target).html);
if ($(event.target).is('.ok')) {
$.ajax({
- "data": {ok: $(event.target).attr("title"), CGISESSID: readCookie('CGISESSID')},
+ "data": {ok: $(event.target).attr("title")},
"success": count_approve // success_approve
});
$(event.target).next(".rej").removeAttr("disabled").attr("value","Reject").css("color","#000");
@@ -112,7 +102,7 @@ td input,td input[type="submit"] { font-size: 85%; padding: 1px; }
}
if ($(event.target).is('.rej')) {
$.ajax({
- "data": {rej: $(event.target).attr("title"), CGISESSID: readCookie('CGISESSID')},
+ "data": {rej: $(event.target).attr("title")},
"success": count_reject // success_reject
});
$(event.target).prev(".ok").removeAttr("disabled").attr("value","Approve").css("color","#000");
View
20 koha-tmpl/opac-tmpl/ccsr/en/js/tags.js
@@ -4,8 +4,6 @@ if (typeof KOHA == "undefined" || !KOHA) {
/**
* A namespace for Tags related functions.
-* readCookie is expected to already be declared. That's why the assignment below is unscoped.
-* readCookie should be from basket.js or undefined.
$.ajaxSetup({
url: "/cgi-bin/koha/opac-tags.pl",
@@ -13,24 +11,12 @@ $.ajaxSetup({
dataType: "script"
});
*/
-if (typeof(readCookie) == "undefined") {
- readCookie = function (name) { // from http://www.quirksmode.org/js/cookies.html
- var nameEQ = name + "=";
- var ca = document.cookie.split(';');
- for (var i=0;i < ca.length;i++) {
- var c = ca[i];
- while (c.charAt(0)==' '){ c = c.substring(1,c.length); }
- if (c.indexOf(nameEQ) == 0){ return c.substring(nameEQ.length,c.length); }
- }
- return null;
- }
-}
KOHA.Tags = {
add_tag_button: function(bibnum, tag){
var mynewtag = "newtag" + bibnum;
var mytagid = "#" + mynewtag;
- var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID
- mydata[mynewtag] = tag; // need [bracket] for variable property id
+ var mydata = {};
+ mydata[mynewtag] = tag;
var response; // AJAX from server will assign value to response.
$.post(
"/cgi-bin/koha/opac-tags.pl",
@@ -83,7 +69,7 @@ KOHA.Tags = {
// Used to tag multiple items at once. The main difference
// is that status is displayed on a per item basis.
add_multitags_button : function(bibarray, tag){
- var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID
+ var mydata = {};
for (var i = 0; i < bibarray.length; i++) {
var mynewtag = "newtag" + bibarray[i];
mydata[mynewtag] = tag;
View
20 koha-tmpl/opac-tmpl/prog/en/js/tags.js
@@ -4,8 +4,6 @@ if (typeof KOHA == "undefined" || !KOHA) {
/**
* A namespace for Tags related functions.
-* readCookie is expected to already be declared. That's why the assignment below is unscoped.
-* readCookie should be from basket.js or undefined.
$.ajaxSetup({
url: "/cgi-bin/koha/opac-tags.pl",
@@ -13,24 +11,12 @@ $.ajaxSetup({
dataType: "script"
});
*/
-if (typeof(readCookie) == "undefined") {
- readCookie = function (name) { // from http://www.quirksmode.org/js/cookies.html
- var nameEQ = name + "=";
- var ca = document.cookie.split(';');
- for (var i=0;i < ca.length;i++) {
- var c = ca[i];
- while (c.charAt(0)==' '){ c = c.substring(1,c.length); }
- if (c.indexOf(nameEQ) == 0){ return c.substring(nameEQ.length,c.length); }
- }
- return null;
- }
-}
KOHA.Tags = {
add_tag_button: function(bibnum, tag){
var mynewtag = "newtag" + bibnum;
var mytagid = "#" + mynewtag;
- var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID
- mydata[mynewtag] = tag; // need [bracket] for variable property id
+ var mydata = {};
+ mydata[mynewtag] = tag;
var response; // AJAX from server will assign value to response.
$.post(
"/cgi-bin/koha/opac-tags.pl",
@@ -83,7 +69,7 @@ KOHA.Tags = {
// Used to tag multiple items at once. The main difference
// is that status is displayed on a per item basis.
add_multitags_button : function(bibarray, tag){
- var mydata = {CGISESSID: readCookie('CGISESSID')}; // Someday this should be OPACSESSID
+ var mydata = {};
for (var i = 0; i < bibarray.length; i++) {
var mynewtag = "newtag" + bibarray[i];
mydata[mynewtag] = tag;
View
2  opac/opac-tags.pl
@@ -58,7 +58,7 @@ sub ajax_auth_cgi { # returns CGI object
my $needed_flags = shift;
my %cookies = fetch CGI::Cookie;
my $input = CGI->new;
- my $sessid = $cookies{'CGISESSID'}->value || $input->param('CGISESSID');
+ my $sessid = $cookies{'CGISESSID'}->value;
my ($auth_status, $auth_sessid) = check_cookie_auth($sessid, $needed_flags);
$debug and
print STDERR "($auth_status, $auth_sessid) = check_cookie_auth($sessid," . Dumper($needed_flags) . ")\n";
View
2  tags/review.pl
@@ -41,7 +41,7 @@ ($)
my $needed_flags = shift;
my %cookies = fetch CGI::Cookie;
my $input = CGI->new;
- my $sessid = $cookies{'CGISESSID'}->value || $input->param('CGISESSID');
+ my $sessid = $cookies{'CGISESSID'}->value;
my ($auth_status, $auth_sessid) = check_cookie_auth($sessid, $needed_flags);
$debug and
print STDERR "($auth_status, $auth_sessid) = check_cookie_auth($sessid," . Dumper($needed_flags) . ")\n";
Please sign in to comment.
Something went wrong with that request. Please try again.