Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 36532: Protect opac-dismiss-message.pl from malicious usages

Browse source 
Really bad design, NEVER retrieve the logged in user from the CGI
param!

See comment 1 for more info

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c92d38a6c603278e0d253c6e29731380c017ebb7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
This commit is contained in:
Jonathan Druart 2024-04-05 08:58:06 +02:00 committed by Frédéric Demians
parent 2eab2949fc
commit 2278d229e8
2 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
View file

@ -7,6 +7,12 @@
<strong>[% message.message | html | html_line_break %]</strong><br>
&nbsp;&nbsp;&nbsp;<em>Written on [% message.message_date | $KohaDates %] by [% Branches.GetName(message.branchcode) | html %]</em>
</li>
<form id="dismiss-message-form" action="/cgi-bin/koha/opac-dismiss-message.pl" method="post">
[% INCLUDE 'csrf-token.inc' %]
<input type="hidden" name="message_id" value="[% message.message_id | html %]">
<input type="hidden" name="op" value="cud-update" />
<button type="submit" class="dismiss-message-button btn btn-primary"><i class="fa fa-trash" aria-hidden="true"></i> Dismiss</button>
</form>
[% END %]
[% IF ( opacnote ) %]<li>[% opacnote | html | html_line_break %]</li>[% END %]

17
opac/opac-routing-lists.pl
View file

@ -39,7 +39,22 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
}
);
my $patron = Koha::Patrons->find( $borrowernumber );
my $logged_in_user = Koha::Patrons->find($borrowernumber);
my $message_id = $query->param('message_id');
my $message = $logged_in_user->messages->find($message_id);
unless ($message) {
print $query->redirect("/cgi-bin/koha/errors/404.pl");
exit;
}
unless ( $op =~ /^cud-/ && $message ) {
# exit early
print $query->redirect("/cgi-bin/koha/opac-user.pl");
exit;
}
$message->update({ patron_read_date => dt_from_string });
$template->param(
routinglistsview => 1,