Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 24879: Add check_cookie_auth when missing

Browse source 
This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 496c8c4e2d9199a38c796fdd6f63d89d8c6b215d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This commit is contained in:
Jonathan Druart 2024-03-14 16:19:06 +01:00 committed by Fridolin Somers
parent 3e26c96efc
commit 3b95f48807
15 changed files with 130 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
acqui/check_uniqueness.pl
View file

@ -37,6 +37,13 @@ use C4::Output qw( output_with_http_headers );
use C4::Items qw( SearchItems );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my @field = $input->multi_param('field[]');
my @value = $input->multi_param('value[]');

7
catalogue/image.pl
View file

@ -33,6 +33,13 @@ use Koha::CoverImages;
$| = 1;
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $imagenumber;
=head1 NAME

8
cataloguing/plugin_launcher.pl
View file

@ -19,10 +19,18 @@
use Modern::Perl;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
use Koha::FrameworkPlugin;
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $plugin= Koha::FrameworkPlugin->new( {
name => scalar $input->param("plugin_name"),
});

10
cataloguing/value_builder/barcode.pl
View file

@ -29,6 +29,16 @@ use Koha::DateUtils qw( dt_from_string );
use Algorithm::CheckDigits qw( CheckDigits );
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;
my $function_name = $params->{id};

10
cataloguing/value_builder/barcode_manual.pl
View file

@ -27,6 +27,16 @@ use C4::Barcodes::ValueBuilder;
use C4::Biblio qw( GetMarcFromKohaField );
use Koha::DateUtils qw( dt_from_string );
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;
my $function_name = $params->{id};

10
cataloguing/value_builder/dateaccessioned.pl
View file

@ -21,6 +21,16 @@
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;
my $function_name = $params->{id};

10
cataloguing/value_builder/marc21_field_005.pl
View file

@ -21,6 +21,16 @@
use Modern::Perl;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;
my $function_name = $params->{id};

12
cataloguing/value_builder/marc21_field_245h.pl
View file

@ -20,7 +20,17 @@
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use C4::Context;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;

10
cataloguing/value_builder/marc21_field_260b.pl
View file

@ -27,6 +27,16 @@ biblioitems.publishercode
use Modern::Perl;
use C4::Context;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;
my $function_name = $params->{id};

9
cataloguing/value_builder/marc21_orgcode.pl
View file

@ -24,6 +24,15 @@ use Modern::Perl;
use C4::Context;
use Koha::Libraries;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;

9
cataloguing/value_builder/stocknumber.pl
View file

@ -21,6 +21,15 @@
use Modern::Perl;
use C4::Context;
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;

10
cataloguing/value_builder/upload.pl
View file

@ -30,6 +30,16 @@ use Modern::Perl;
# the possibility to delete the uploaded file. If the field is empty, you
# can upload a new file.
use CGI qw ( -utf8 );
use C4::Auth qw( check_cookie_auth );
my $input = CGI->new;
my ($auth_status) =
check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $builder = sub {
my ( $params ) = @_;
return <<"SCRIPT";

6
labels/label-create-csv.pl
View file

@ -26,6 +26,12 @@ use Text::CSV_XS;
use C4::Labels;
my $cgi = CGI->new;
my ($auth_status) =
check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $batch_id;
my @label_ids;

6
labels/label-create-xml.pl
View file

@ -26,6 +26,12 @@ use XML::Simple;
use C4::Labels;
my $cgi = CGI->new;
my ($auth_status) =
check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $batch_id;
my @label_ids;

7
serials/lateissues-export.pl
View file

@ -27,6 +27,13 @@ use Koha::CsvProfiles;
use Text::CSV_XS;
my $query = CGI->new;
my ($auth_status) =
check_cookie_auth( $query->cookie('CGISESSID'), { catalogue => 1 } );
if ( $auth_status ne "ok" ) {
print $query->header( -type => 'text/plain', -status => '403 Forbidden' );
exit 0;
}
my $supplierid = $query->param('supplierid');
my @serialids = $query->multi_param('serialid');
my $op = $query->param('op') || q{};