Bug 36532: Protect opac-dismiss-message.pl from malicious usages

Really bad design, NEVER retrieve the logged in user from the CGI param! See comment 1 for more info Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: David Cook <dcook@prosentient.com.au> (cherry picked from commit a40e1fd62c7320ad5f7b8514ba2bd129aad2d10f) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> (cherry picked from commit 1df8ee1994) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2 months ago · 919d5b88ab
2 changed files with 8 additions and 5 deletions
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc
@ -9,7 +9,6 @@
                </li>
                <form id="dismiss-message-form" action="/cgi-bin/koha/opac-dismiss-message.pl" method="post">
                    <input type="hidden" name="message_id" value="[% message.message_id | html %]">
-                    <input type="hidden" name="patron_id" value="[% message.borrowernumber | html %]">
                    <button type="submit" class="dismiss-message-button btn btn-primary"><i class="fa fa-trash" aria-hidden="true"></i> Dismiss</button>
                </form>
            [% END %]
--- a/opac/opac-dismiss-message.pl
+++ b/opac/opac-dismiss-message.pl
@ -35,10 +35,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
    }
 );

-my $patron_id = $query->param('patron_id');
-my $patron = Koha::Patrons->find( $patron_id );
-my $message_id = $query->param('message_id');
-my $message = $patron->messages->find( $message_id );
+my $logged_in_user = Koha::Patrons->find($borrowernumber);
+my $message_id     = $query->param('message_id');
+my $message        = $logged_in_user->messages->find($message_id);
+
+unless ($message) {
+    print $query->redirect("/cgi-bin/koha/errors/404.pl");
+    exit;
+}

 unless ( $message ) {
    # exit early