Bug 36532: Protect opac-dismiss-message.pl from malicious usages
Really bad design, NEVER retrieve the logged in user from the CGI param! See comment 1 for more info Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This commit is contained in:
parent
489f6f86fd
commit
0776369776
2 changed files with 8 additions and 5 deletions
|
@ -10,7 +10,6 @@
|
|||
<form id="dismiss-message-form" action="/cgi-bin/koha/opac-dismiss-message.pl" method="post">
|
||||
[% INCLUDE 'csrf-token.inc' %]
|
||||
<input type="hidden" name="message_id" value="[% message.message_id | html %]">
|
||||
<input type="hidden" name="patron_id" value="[% message.borrowernumber | html %]">
|
||||
<input type="hidden" name="op" value="cud-update" />
|
||||
<button type="submit" class="dismiss-message-button btn btn-primary"><i class="fa fa-trash" aria-hidden="true"></i> Dismiss</button>
|
||||
</form>
|
||||
|
|
|
@ -36,10 +36,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
|
|||
}
|
||||
);
|
||||
|
||||
my $patron_id = $query->param('patron_id');
|
||||
my $patron = Koha::Patrons->find( $patron_id );
|
||||
my $message_id = $query->param('message_id');
|
||||
my $message = $patron->messages->find( $message_id );
|
||||
my $logged_in_user = Koha::Patrons->find($borrowernumber);
|
||||
my $message_id = $query->param('message_id');
|
||||
my $message = $logged_in_user->messages->find($message_id);
|
||||
|
||||
unless ($message) {
|
||||
print $query->redirect("/cgi-bin/koha/errors/404.pl");
|
||||
exit;
|
||||
}
|
||||
|
||||
unless ( $op =~ /^cud-/ && $message ) {
|
||||
# exit early
|
||||
|
|
Loading…
Reference in a new issue