From 2278d229e899cd279f62addd8275365718ad8cbb Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 5 Apr 2024 08:58:06 +0200
Subject: [PATCH] Bug 36532: Protect opac-dismiss-message.pl from malicious
 usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Really bad design, NEVER retrieve the logged in user from the CGI
param!

See comment 1 for more info

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c92d38a6c603278e0d253c6e29731380c017ebb7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 .../bootstrap/en/includes/opac-note.inc         |  6 ++++++
 opac/opac-routing-lists.pl                      | 17 ++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
index 22e6a068ce..6352ff912c 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
@@ -7,6 +7,12 @@
                     <strong>[% message.message | html | html_line_break %]</strong><br>
                     &nbsp;&nbsp;&nbsp;<em>Written on [% message.message_date | $KohaDates %] by [% Branches.GetName(message.branchcode) | html %]</em>
                 </li>
+                <form id="dismiss-message-form" action="/cgi-bin/koha/opac-dismiss-message.pl" method="post">
+                    [% INCLUDE 'csrf-token.inc' %]
+                    <input type="hidden" name="message_id" value="[% message.message_id | html %]">
+                    <input type="hidden" name="op" value="cud-update" />
+                    <button type="submit" class="dismiss-message-button btn btn-primary"><i class="fa fa-trash" aria-hidden="true"></i> Dismiss</button>
+                </form>
             [% END %]
 
             [% IF ( opacnote ) %]<li>[% opacnote | html | html_line_break %]</li>[% END %]
diff --git a/opac/opac-routing-lists.pl b/opac/opac-routing-lists.pl
index 299bb29e78..48e6383dfd 100755
--- a/opac/opac-routing-lists.pl
+++ b/opac/opac-routing-lists.pl
@@ -39,7 +39,22 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
     }
 );
 
-my $patron = Koha::Patrons->find( $borrowernumber );
+my $logged_in_user = Koha::Patrons->find($borrowernumber);
+my $message_id     = $query->param('message_id');
+my $message        = $logged_in_user->messages->find($message_id);
+
+unless ($message) {
+    print $query->redirect("/cgi-bin/koha/errors/404.pl");
+    exit;
+}
+
+unless ( $op =~ /^cud-/ && $message ) {
+    # exit early
+    print $query->redirect("/cgi-bin/koha/opac-user.pl");
+    exit;
+}
+
+$message->update({ patron_read_date => dt_from_string });
 
 $template->param(
     routinglistsview => 1,