The _add_default_csrf_params internal function accesses
C4::Context->userenv without checking that it has been defined. I think
not all of the potential callers of it declare that they require a
defined userenv, so we should test and provide defaults for required
values if it is not defined, to avoid some "Can't use an undefined value
as a HASH reference" HTTP 500 Internal Server Errors.
To test:
Do anything that requires a form with CSRF token, such as editing your
details. Behaviour should be unchanged. To test the failure case, you
would need some customised code that indirectly generates a CSRF token
before setting the userenv up and I am not sure there is any in released
Koha yet.
Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de>
Looks good to me. Working as expected.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
my ( $params ) = @_;
$params->{session_id} //= '';
if( !$params->{id} ) {
- $params->{id} = Encode::encode( 'UTF-8', C4::Context->userenv->{id} . $params->{session_id} );
+ if( defined( C4::Context->userenv ) ) {
+ $params->{id} = Encode::encode( 'UTF-8', C4::Context->userenv->{id} . $params->{session_id} );
+ } else {
+ $params->{id} = Encode::encode( 'UTF-8', $params->{session_id} );
+ }
} else {
$params->{id} .= $params->{session_id};
}