[Koha] SIP2 AF field sent even if patron password is invalid

[Galen Charlton]

Hi,

On Thu, Jul 31, 2014 at 9:21 AM, Colin Campbell
<colin.campbell at ptfs-europe.com> wrote:
> Many of the early sip devices considered the fact a user had wanded a
> barcode, security enough. I recall machines which sent blank passwords
> meaning 'I dont care about passwords and if they're valid'. The
> implication of the standard is that the client end will do the right
> thing if I flag up the password was invalid.

It wouldn't surprise me if this were the case back then, but
yesterday's trusting serial line protocol is today's remote exposure
of sensitive patron information breach.

> NB that responses like patron status return both whether the patron is
> valid and whether the password is valid which suggests that the two are
> independent and it may want info back irrespective of password validity.
> Its also not impossible that a client application may want patron data
> and issue an info request without that patron being present (whether
> such an app should be tolerated is another thing). So I think we should
> certainly tailor message resonses sensibly but policy is the
> responsibility of the client device. (maybe we should look a bit closer
> at them)

I agree that it will be necessary to tailor responses per client, but
I do think that the default should be to limit what gets disclosed if
an invalid patron password is presented, as information disclosure
policies is necessarily the responsibility of the SIP2 server.

Regards,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org