Bug 20701: Add csrf protection to mancredit.pl

author Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Thu, 3 May 2018 12:09:19 +0000 (09:09 -0300)

committer Fridolin Somers <fridolin.somers@biblibre.com>

Wed, 23 May 2018 19:09:53 +0000 (21:09 +0200)
author Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Thu, 3 May 2018 12:09:19 +0000 (09:09 -0300)
committer Fridolin Somers <fridolin.somers@biblibre.com>
Wed, 23 May 2018 19:09:53 +0000 (21:09 +0200)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt

index 65a61a5..0f7ffc7 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt
@@ -36,6 +36,7 @@ $(document).ready(function(){
 
 <form action="/cgi-bin/koha/members/mancredit.pl" method="post" id="mancredit">
 <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
 
 <fieldset class="rows">
 <legend>Manual credit</legend><ol>
diff --git a/members/mancredit.pl b/members/mancredit.pl

index a26000d..94c308e 100755 (executable)
--- a/members/mancredit.pl
+++ b/members/mancredit.pl
@@ -36,6 +36,7 @@ use C4::Members::Attributes qw(GetBorrowerAttributes);
 use Koha::Patron::Images;
 
 use Koha::Patron::Categories;
+use Koha::Token;
 
 my $input=new CGI;
 my $flagsrequired = { borrowers => 1, updatecharges => 1 };
@@ -48,6 +49,15 @@ my $add=$input->param('add');
 
 if ($add){
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => $input->cookie('CGISESSID'),
+                token  => scalar $input->param('csrf_token'),
+            });
+
+        # Note: If the logged in user is not allowed to see this patron an invoice can be forced
+        # Here we are trusting librarians not to hack the system
         my $barcode = $input->param('barcode');
         my $itemnum;
         if ($barcode) {
@@ -99,6 +109,9 @@ if ($add){
         borrowernumber => $borrowernumber,
         categoryname   => $data->{'description'},
         is_child       => ($data->{'category_type'} eq 'C'),
+        csrf_token => Koha::Token->new->generate_csrf(
+            { session_id => scalar $input->cookie('CGISESSID') }
+        ),
         );
     output_html_with_http_headers $input, $cookie, $template->output;
 }
author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Thu, 3 May 2018 12:09:19 +0000 (09:09 -0300)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Wed, 23 May 2018 19:09:53 +0000 (21:09 +0200)
koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt		patch \| blob \| history
members/mancredit.pl		patch \| blob \| history