Bug 30524: Core CSRF checking code

Split out from bug 22990 as requested.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit aba9e61cfbab1e915f1be4a527b5708b9ec59c35)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6d6d36f6df79d3df22ea299934073d903f86e64a)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

C4/Auth.pm

@@ -51,6 +51,7 @@ use Net::CIDR;
 use C4::Log qw( logaction );
 use Koha::CookieManager;
 use Koha::Auth::Permissions;
+use Koha::Token;
 
 # use utf8;
 
@@ -307,6 +308,7 @@ sub get_template_and_user {
         $template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber
         $template->param( logged_in_user     => $patron );
         $template->param( sessionID          => $sessionID );
+        $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $sessionID }));
 
         if ( $in->{'type'} eq 'opac' ) {
             require Koha::Virtualshelves;

C4/Output.pm

@@ -34,6 +34,7 @@ use URI::Escape;
 use C4::Auth qw( get_template_and_user );
 use C4::Context;
 use C4::Templates;
+use Koha::Token;
 
 our (@ISA, @EXPORT_OK);
 
@@ -314,9 +315,17 @@ sub is_ajax {
 To executed at the beginning of scripts to stop the script at this point if
 some errors are found.
 
-Tests for module 'members':
-* patron is not defined (we are looking for a patron that does no longer exist/never existed)
-* The logged in user cannot see patron's infos (feature 'cannot_see_patron_infos')
+A series of tests can be run for a given module, or a specific check.
+Params "module" and "check" are mutually exclusive.
+
+Tests for modules:
+* members:
+    - Patron is not defined (we are looking for a patron that does no longer exist/never existed)
+    - The logged in user cannot see patron's infos (feature 'cannot_see_patron_infos')
+
+Tests for specific check:
+* csrf_token
+    will test if the csrf_token CGI param is valid
 
 Others will be added here depending on the needs (for instance biblio does not exist will be useful).
 
@@ -332,16 +341,28 @@ sub output_and_exit_if_error {
             if ( not $current_patron ) {
                 $error = 'unknown_patron';
             }
-            elsif( not $logged_in_user->can_see_patron_infos( $current_patron ) ) {
+            elsif ( not $logged_in_user->can_see_patron_infos($current_patron) )
+            {
                 $error = 'cannot_see_patron_infos';
             }
-        } elsif ( $params->{module} eq 'cataloguing' ) {
+        }
+        elsif ( $params->{module} eq 'cataloguing' ) {
             # We are testing the record to avoid additem to fetch the Koha::Biblio
             # But in the long term we will want to get a biblio in parameter
             $error = 'unknown_biblio' unless $params->{record};
         }
     }
-
+    elsif ( $params and exists $params->{check} ) {
+        if ( $params->{check} eq 'csrf_token' ) {
+            $error = 'wrong_csrf_token'
+              unless Koha::Token->new->check_csrf(
+                {
+                    session_id => scalar $query->cookie('CGISESSID'),
+                    token      => scalar $query->param('csrf_token'),
+                }
+              );
+        }
+    }
     output_and_exit( $query, $cookie, $template, $error ) if $error;
     return;
 }

koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc

@@ -0,0 +1 @@
+<input type="hidden" name="csrf_token" value="[% csrf_token | html %]" />