Bug 19117: Add CSRF protection to paycollect.pl

author Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Wed, 4 Oct 2017 20:49:51 +0000 (17:49 -0300)

committer Katrin Fischer <katrin.fischer.83@web.de>

Sun, 22 Oct 2017 22:06:56 +0000 (22:06 +0000)
author Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 4 Oct 2017 20:49:51 +0000 (17:49 -0300)
committer Katrin Fischer <katrin.fischer.83@web.de>
Sun, 22 Oct 2017 22:06:56 +0000 (22:06 +0000)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt

index 069ad69..0f9cf79 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
@@ -101,6 +101,7 @@ function moneyFormat(textObj) {
 
 [% IF ( pay_individual ) %]
     <form name="payindivfine" id="payindivfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
     <input type="hidden" name="pay_individual" id="pay_individual" value="[% pay_individual %]" />
     <input type="hidden" name="itemnumber" id="itemnumber" value="[% itemnumber %]" />
@@ -156,6 +157,7 @@ function moneyFormat(textObj) {
     </form>
 [% ELSIF ( writeoff_individual ) %]
     <form name="woindivfine" id="woindivfine" action="/cgi-bin/koha/members/pay.pl" method="post" >
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <fieldset class="rows">
     <legend>Write off an individual fine</legend>
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
@@ -197,6 +199,7 @@ function moneyFormat(textObj) {
 [% ELSE %]
 
     <form name="payfine" id="payfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
     <input type="hidden" name="selected_accts" id="selected_accts" value="[% selected_accts %]" />
     <input type="hidden" name="total" id="total" value="[% total %]" />
diff --git a/members/paycollect.pl b/members/paycollect.pl

index e0a6ad2..ab3247d 100755 (executable)
--- a/members/paycollect.pl
+++ b/members/paycollect.pl
@@ -30,6 +30,7 @@ use C4::Accounts;
 use C4::Koha;
 use Koha::Patron::Images;
 use Koha::Account;
+use Koha::Token;
 
 use Koha::Patron::Categories;
 
@@ -110,6 +111,12 @@ if ( $total_paid and $total_paid ne '0.00' ) {
             total_due => $total_due
         );
     } else {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => $input->cookie('CGISESSID'),
+                token  => scalar $input->param('csrf_token'),
+            });
+
         if ($individual) {
             if ( $total_paid == $total_due ) {
                 makepayment( $accountlines_id, $borrowernumber, $accountno, $total_paid, $user,
@@ -154,6 +161,8 @@ $template->param(
     total         => $total_due,
     RoutingSerials => C4::Context->preference('RoutingSerials'),
     ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'),
+
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
 );
 
 output_html_with_http_headers $input, $cookie, $template->output;
author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Wed, 4 Oct 2017 20:49:51 +0000 (17:49 -0300)
committer	Katrin Fischer <katrin.fischer.83@web.de>
	Sun, 22 Oct 2017 22:06:56 +0000 (22:06 +0000)
koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt		patch \| blob \| history
members/paycollect.pl		patch \| blob \| history