Bug 20701: Add csrf protection to maninvoice.pl

TO test:
1 - Be signed in to Koha
2 - Add a manual invoice to an account, works fine
3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save
4 - Apply patches
5 - Test that everything continues to work as expected (but more securely)
6 - Try adding a new invoice via URL
7 - Should get 'internal server error' and wrong csrf token in logs

Works OK.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 730d1fd57d982735522b3c7c1bc4d421255c2107)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
index 8fc1f68..77778ee 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
@@ -48,6 +48,7 @@ $(document).ready(function(){
 [% END %]
 [% ELSE %]
 <form action="/cgi-bin/koha/members/maninvoice.pl" method="post" id="maninvoice"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
        <fieldset class="rows">
        <legend>Manual invoice</legend>
        <ol>

diff --git a/members/maninvoice.pl b/members/maninvoice.pl
index 3f49598..7f79e55 100755 (executable)
--- a/members/maninvoice.pl
+++ b/members/maninvoice.pl
@@ -33,6 +33,7 @@ use C4::Accounts;
 use C4::Items;
 use C4::Members::Attributes qw(GetBorrowerAttributes);
 use Koha::Patron::Images;
+use Koha::Token;
 
 use Koha::Patron::Categories;
 
@@ -46,6 +47,11 @@ my $borrowernumber=$input->param('borrowernumber');
 my $data=GetMember('borrowernumber'=>$borrowernumber);
 my $add=$input->param('add');
 if ($add){
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf( {
+            session_id => $input->cookie('CGISESSID'),
+            token => scalar $input->param('csrf_token'),
+        });
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
         #  print $input->header;
         my $barcode=$input->param('barcode');
@@ -71,6 +77,7 @@ if ($add){
             if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) {
                 $template->param( 'ITEMNUMBER' => 1 );
             }
+            $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) );
             $template->param( 'ERROR' => $error );
             output_html_with_http_headers $input, $cookie, $template->output;
         } else {
@@ -120,6 +127,7 @@ if ($add){
 
     $template->param(%$data);
     $template->param(
+        csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
         finesview      => 1,
         borrowernumber => $borrowernumber,
         categoryname   => $data->{'description'},