Bug 24673: Add CSRF token support to opac-messaging.pl

This patch adds CSRF token support to opac-messaging.pl,
which allows users to manually update their messaging preferences,
but prevents bad actors from tricking people into updating their
preferences from cross-site requests.

Test plan:
0. Set SMSSendDriver global system preference to "Test" if unset
1. Log into the OPAC
2. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
3. Observe that the preference and SMS number update

4. Apply the patch

5. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
6. Observe that you get an error message of "Wrong CSRF token" instead
of the previous behaviour
7. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl
8. Update "Advance notice" to 3 and update "SMS number" to 61111111111
9. Observe that the "Advance notice" and "SMS number" fields update
correctly

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Joy Nelson <joy@bywatersolutions.com>
(cherry picked from commit 35cdeadbdfbf75731688f71778756aab73ffb824)

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt
index 82f2255..8c2e909 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt
@@ -29,6 +29,7 @@
                         <div class="alert alert-success"><h4>Settings updated</h4></div>
                     [% END %]
                     <form action="/cgi-bin/koha/opac-messaging.pl" method="get" name="opacmessaging">
+                        <input type="hidden" name="csrf_token" value="[% csrf_token | html %]" />
                         <input type="hidden" name="modify" value="yes" />
 
                             <table class="table table-bordered table-condensed table-striped">

diff --git a/opac/opac-messaging.pl b/opac/opac-messaging.pl
index 8a6996a..98add2d 100755 (executable)
--- a/opac/opac-messaging.pl
+++ b/opac/opac-messaging.pl
@@ -31,6 +31,7 @@ use C4::Members::Messaging;
 use C4::Form::MessagingPreferences;
 use Koha::Patrons;
 use Koha::SMS::Providers;
+use Koha::Token;
 
 my $query = CGI->new();
 
@@ -55,6 +56,11 @@ my $patron = Koha::Patrons->find( $borrowernumber ); # FIXME and if borrowernumb
 my $messaging_options = C4::Members::Messaging::GetMessagingOptions();
 
 if ( defined $query->param('modify') && $query->param('modify') eq 'yes' ) {
+    die "Wrong CSRF token" unless Koha::Token->new->check_csrf({
+        session_id => scalar $query->cookie('CGISESSID'),
+        token  => scalar $query->param('csrf_token'),
+    });
+
     my $sms = $query->param('SMSnumber');
     my $sms_provider_id = $query->param('sms_provider_id');
     if ( defined $sms && ( $patron->smsalertnumber // '' ) ne $sms
@@ -81,4 +87,11 @@ if ( C4::Context->preference("SMSSendDriver") eq 'Email' ) {
     $template->param( sms_providers => \@providers, sms_provider_id => $patron->sms_provider_id );
 }
 
+my $new_session_id = $cookie->value;
+$template->param(
+    csrf_token => Koha::Token->new->generate_csrf({
+            session_id => $new_session_id,
+        }),
+);
+
 output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 };