From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 4 Oct 2017 20:49:51 +0000 (-0300)
Subject: Bug 19117: Add CSRF protection to paycollect.pl
X-Git-Tag: v16.11.13~3
X-Git-Url: http://git.equinoxoli.org/?p=koha.git;a=commitdiff_plain;h=654f2bc2e588305bb10b2dc0b7756dbe53238d64

Bug 19117: Add CSRF protection to paycollect.pl

Security bug, trivial changes, no need to provide procedure for script
kiddies.

Test plan:
Pay fines using the different options from the "Pay fines" tab.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
---

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
index 069ad69..0f9cf79 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
@@ -101,6 +101,7 @@ function moneyFormat(textObj) {
 
 [% IF ( pay_individual ) %]
     <form name="payindivfine" id="payindivfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
     <input type="hidden" name="pay_individual" id="pay_individual" value="[% pay_individual %]" />
     <input type="hidden" name="itemnumber" id="itemnumber" value="[% itemnumber %]" />
@@ -156,6 +157,7 @@ function moneyFormat(textObj) {
     </form>
 [% ELSIF ( writeoff_individual ) %]
     <form name="woindivfine" id="woindivfine" action="/cgi-bin/koha/members/pay.pl" method="post" >
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <fieldset class="rows">
     <legend>Write off an individual fine</legend>
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
@@ -197,6 +199,7 @@ function moneyFormat(textObj) {
 [% ELSE %]
 
     <form name="payfine" id="payfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
     <input type="hidden" name="selected_accts" id="selected_accts" value="[% selected_accts %]" />
     <input type="hidden" name="total" id="total" value="[% total %]" />
diff --git a/members/paycollect.pl b/members/paycollect.pl
index e0a6ad2..ab3247d 100755
--- a/members/paycollect.pl
+++ b/members/paycollect.pl
@@ -30,6 +30,7 @@ use C4::Accounts;
 use C4::Koha;
 use Koha::Patron::Images;
 use Koha::Account;
+use Koha::Token;
 
 use Koha::Patron::Categories;
 
@@ -110,6 +111,12 @@ if ( $total_paid and $total_paid ne '0.00' ) {
             total_due => $total_due
         );
     } else {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => $input->cookie('CGISESSID'),
+                token  => scalar $input->param('csrf_token'),
+            });
+
         if ($individual) {
             if ( $total_paid == $total_due ) {
                 makepayment( $accountlines_id, $borrowernumber, $accountno, $total_paid, $user,
@@ -154,6 +161,8 @@ $template->param(
     total         => $total_due,
     RoutingSerials => C4::Context->preference('RoutingSerials'),
     ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'),
+
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
 );
 
 output_html_with_http_headers $input, $cookie, $template->output;