Bug 18019: Add CSRF protection to authorities-home.pl (op==delete)

Without this patch, it is possible to delete authority records with URL manipulation. Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX] Test plan: [1] Go to Authorities. Search for some authorities (without links). [2] Delete an authority. Should work. [3] Apply patch. [4] Construct an URL like above to delete another authority. Should fail. Under Plack this results in an internal server error, the log tells you: Wrong CSRF token. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Amended the test plan. Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-07 09:09:33 +01:00 · 2017-02-07 09:09:33 +01:00 · 5a7dc0749f
commit 5a7dc0749f
parent f454013ec9
2 changed files with 15 additions and 1 deletions
--- a/authorities/authorities-home.pl
+++ b/authorities/authorities-home.pl
@ -36,6 +36,7 @@ use C4::Search::History;
 use Koha::Authority::Types;
 use Koha::SearchEngine::Search;
 use Koha::SearchEngine::QueryBuilder;
+use Koha::Token;

 my $query = new CGI;
 my $dbh   = C4::Context->dbh;
@ -58,6 +59,12 @@ if ( $op eq "delete" ) {
            debug           => 1,
        }
    );
+
+    die "Wrong CSRF token" unless Koha::Token->new->check_csrf({
+        session_id => scalar $query->cookie('CGISESSID'),
+        token  => scalar $query->param('csrf_token'),
+    });
+
    &DelAuthority( $authid, 1 );

    if ( $query->param('operator') ) {
@ -111,6 +118,12 @@ if ( $op eq "do_search" ) {
        }
    );

+    $template->param(
+        csrf_token => Koha::Token->new->generate_csrf({
+            session_id => scalar $query->cookie('CGISESSID'),
+        }),
+    );
+
    # search history
    if (C4::Context->preference('EnableSearchHistory')) {
        if ( $startfrom == 1) {
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt
@ -19,7 +19,8 @@ function confirm_deletion(id) {
          + "&orderby=[% orderby %]"
          + "&value=[% value |url %]"
          + "&startfrom=[% startfrom %]"
-          + "&resultsperpage=[% resultsperpage %]";
+          + "&resultsperpage=[% resultsperpage %]"
+          + "&csrf_token=[% csrf_token %]";
    }
 }