projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch (parent: 0a52185)
Bug 14566: Fix permissions in patronimage.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 19 Aug 2015 14:42:10 +0000 (15:42 +0100)
committerMason James <mtj@kohaaloha.com>
Fri, 28 Aug 2015 02:55:25 +0000 (14:55 +1200)
There is no permission needed to access the patronimage.pl script.
This means anybody cans access to the patron's images.

Test plan:
Add an image to borrowernumber 42 and call
/cgi-bin/koha/members/patronimage.pl?borrowernumber=42

If you are logged in with borrowers permissions, you will see the image,
otherwise you will get a blank page with a 403 header.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>

Conflicts:
members/patronimage.pl

members/patronimage.pl patch | blob | history

diff --git a/members/patronimage.pl b/members/patronimage.pl
index 4f663d6..38ccb69 100755 (executable)
--- a/members/patronimage.pl
+++ b/members/patronimage.pl
@@ -20,17 +20,17 @@
 #
 #
 
-use strict;
-use warnings;
+use Modern::Perl;
 
 use CGI; #qw(:standard escapeHTML);
+use C4::Auth qw( check_api_auth );
 use C4::Context;
 use C4::Members;
 
 $|=1;
 
 my $DEBUG = 0;
-my $data = new CGI;
+my $query = new CGI;
 my $borrowernumber;
 
 =head1 NAME
@@ -47,8 +47,17 @@ This script, when called from within HTML and passed a valid patron borrowernumb
 
 =cut
 
-if ($data->param('borrowernumber')) {
-    $borrowernumber = $data->param('borrowernumber');
+my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} );
+
+unless ( $status eq 'ok' ) {
+    print $query->header(-type => 'text/plain', -status => '403 Forbidden');
+    exit 0;
+}
+
+
+
+if ($query->param('borrowernumber')) {
+    $borrowernumber = $query->param('borrowernumber');
 } else {
     $borrowernumber = shift;
 }
@@ -67,7 +76,7 @@ if ($dberror) {
 # things will result... you have been warned!
 
 if ($imagedata) {
-    print $data->header (-type => $imagedata->{'mimetype'}, -'Cache-Control' => 'no-store', -Content_Length => length ($imagedata->{'imagefile'})), $imagedata->{'imagefile'};
+    print $query->header (-type => $imagedata->{'mimetype'}, -'Cache-Control' => 'no-store', -Content_Length => length ($imagedata->{'imagefile'})), $imagedata->{'imagefile'};
     exit;
 } else {
     warn "No image exists for $borrowernumber";
Mirror of git://git.koha-community.org/koha.git