Bug 36532: Protect opac-dismiss-message.pl from malicious usages
Really bad design, NEVER retrieve the logged in user from the CGI param! See comment 1 for more info Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> (cherry picked from commit c92d38a6c603278e0d253c6e29731380c017ebb7) Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This commit is contained in:
parent
2eab2949fc
commit
2278d229e8
2 changed files with 22 additions and 1 deletions
|
@ -7,6 +7,12 @@
|
||||||
<strong>[% message.message | html | html_line_break %]</strong><br>
|
<strong>[% message.message | html | html_line_break %]</strong><br>
|
||||||
<em>Written on [% message.message_date | $KohaDates %] by [% Branches.GetName(message.branchcode) | html %]</em>
|
<em>Written on [% message.message_date | $KohaDates %] by [% Branches.GetName(message.branchcode) | html %]</em>
|
||||||
</li>
|
</li>
|
||||||
|
<form id="dismiss-message-form" action="/cgi-bin/koha/opac-dismiss-message.pl" method="post">
|
||||||
|
[% INCLUDE 'csrf-token.inc' %]
|
||||||
|
<input type="hidden" name="message_id" value="[% message.message_id | html %]">
|
||||||
|
<input type="hidden" name="op" value="cud-update" />
|
||||||
|
<button type="submit" class="dismiss-message-button btn btn-primary"><i class="fa fa-trash" aria-hidden="true"></i> Dismiss</button>
|
||||||
|
</form>
|
||||||
[% END %]
|
[% END %]
|
||||||
|
|
||||||
[% IF ( opacnote ) %]<li>[% opacnote | html | html_line_break %]</li>[% END %]
|
[% IF ( opacnote ) %]<li>[% opacnote | html | html_line_break %]</li>[% END %]
|
||||||
|
|
|
@ -39,7 +39,22 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
my $patron = Koha::Patrons->find( $borrowernumber );
|
my $logged_in_user = Koha::Patrons->find($borrowernumber);
|
||||||
|
my $message_id = $query->param('message_id');
|
||||||
|
my $message = $logged_in_user->messages->find($message_id);
|
||||||
|
|
||||||
|
unless ($message) {
|
||||||
|
print $query->redirect("/cgi-bin/koha/errors/404.pl");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
unless ( $op =~ /^cud-/ && $message ) {
|
||||||
|
# exit early
|
||||||
|
print $query->redirect("/cgi-bin/koha/opac-user.pl");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$message->update({ patron_read_date => dt_from_string });
|
||||||
|
|
||||||
$template->param(
|
$template->param(
|
||||||
routinglistsview => 1,
|
routinglistsview => 1,
|
||||||
|
|
Loading…
Reference in a new issue