Bug 36532: Protect opac-dismiss-message.pl from malicious usages

Really bad design, NEVER retrieve the logged in user from the CGI param! See comment 1 for more info Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2024-04-05 08:58:06 +02:00 · 2024-04-05 08:58:06 +02:00 · 0776369776
commit 0776369776
parent 489f6f86fd
2 changed files with 8 additions and 5 deletions
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
@ -10,7 +10,6 @@
                <form id="dismiss-message-form" action="/cgi-bin/koha/opac-dismiss-message.pl" method="post">
                    [% INCLUDE 'csrf-token.inc' %]
                    <input type="hidden" name="message_id" value="[% message.message_id | html %]">
-                    <input type="hidden" name="patron_id" value="[% message.borrowernumber | html %]">
                    <input type="hidden" name="op" value="cud-update" />
                    <button type="submit" class="dismiss-message-button btn btn-primary"><i class="fa fa-trash" aria-hidden="true"></i> Dismiss</button>
                </form>
--- a/opac/opac-dismiss-message.pl
+++ b/opac/opac-dismiss-message.pl
@ -36,10 +36,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
    }
 );

-my $patron_id = $query->param('patron_id');
-my $patron = Koha::Patrons->find( $patron_id );
-my $message_id = $query->param('message_id');
-my $message = $patron->messages->find( $message_id );
+my $logged_in_user = Koha::Patrons->find($borrowernumber);
+my $message_id     = $query->param('message_id');
+my $message        = $logged_in_user->messages->find($message_id);
+
+unless ($message) {
+    print $query->redirect("/cgi-bin/koha/errors/404.pl");
+    exit;
+}

 unless ( $op =~ /^cud-/ && $message ) {
    # exit early