Bug 30524: Core CSRF checking code
Split out from bug 22990 as requested. Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> (cherry picked from commit aba9e61cfbab1e915f1be4a527b5708b9ec59c35) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> (cherry picked from commit 6d6d36f6df79d3df22ea299934073d903f86e64a) Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
This commit is contained in:
parent
0b4b871f6d
commit
c8ce2e559b
3 changed files with 30 additions and 6 deletions
|
@ -51,6 +51,7 @@ use Net::CIDR;
|
||||||
use C4::Log qw( logaction );
|
use C4::Log qw( logaction );
|
||||||
use Koha::CookieManager;
|
use Koha::CookieManager;
|
||||||
use Koha::Auth::Permissions;
|
use Koha::Auth::Permissions;
|
||||||
|
use Koha::Token;
|
||||||
|
|
||||||
# use utf8;
|
# use utf8;
|
||||||
|
|
||||||
|
@ -307,6 +308,7 @@ sub get_template_and_user {
|
||||||
$template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber
|
$template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber
|
||||||
$template->param( logged_in_user => $patron );
|
$template->param( logged_in_user => $patron );
|
||||||
$template->param( sessionID => $sessionID );
|
$template->param( sessionID => $sessionID );
|
||||||
|
$template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $sessionID }));
|
||||||
|
|
||||||
if ( $in->{'type'} eq 'opac' ) {
|
if ( $in->{'type'} eq 'opac' ) {
|
||||||
require Koha::Virtualshelves;
|
require Koha::Virtualshelves;
|
||||||
|
|
33
C4/Output.pm
33
C4/Output.pm
|
@ -34,6 +34,7 @@ use URI::Escape;
|
||||||
use C4::Auth qw( get_template_and_user );
|
use C4::Auth qw( get_template_and_user );
|
||||||
use C4::Context;
|
use C4::Context;
|
||||||
use C4::Templates;
|
use C4::Templates;
|
||||||
|
use Koha::Token;
|
||||||
|
|
||||||
our (@ISA, @EXPORT_OK);
|
our (@ISA, @EXPORT_OK);
|
||||||
|
|
||||||
|
@ -314,9 +315,17 @@ sub is_ajax {
|
||||||
To executed at the beginning of scripts to stop the script at this point if
|
To executed at the beginning of scripts to stop the script at this point if
|
||||||
some errors are found.
|
some errors are found.
|
||||||
|
|
||||||
Tests for module 'members':
|
A series of tests can be run for a given module, or a specific check.
|
||||||
* patron is not defined (we are looking for a patron that does no longer exist/never existed)
|
Params "module" and "check" are mutually exclusive.
|
||||||
* The logged in user cannot see patron's infos (feature 'cannot_see_patron_infos')
|
|
||||||
|
Tests for modules:
|
||||||
|
* members:
|
||||||
|
- Patron is not defined (we are looking for a patron that does no longer exist/never existed)
|
||||||
|
- The logged in user cannot see patron's infos (feature 'cannot_see_patron_infos')
|
||||||
|
|
||||||
|
Tests for specific check:
|
||||||
|
* csrf_token
|
||||||
|
will test if the csrf_token CGI param is valid
|
||||||
|
|
||||||
Others will be added here depending on the needs (for instance biblio does not exist will be useful).
|
Others will be added here depending on the needs (for instance biblio does not exist will be useful).
|
||||||
|
|
||||||
|
@ -332,16 +341,28 @@ sub output_and_exit_if_error {
|
||||||
if ( not $current_patron ) {
|
if ( not $current_patron ) {
|
||||||
$error = 'unknown_patron';
|
$error = 'unknown_patron';
|
||||||
}
|
}
|
||||||
elsif( not $logged_in_user->can_see_patron_infos( $current_patron ) ) {
|
elsif ( not $logged_in_user->can_see_patron_infos($current_patron) )
|
||||||
|
{
|
||||||
$error = 'cannot_see_patron_infos';
|
$error = 'cannot_see_patron_infos';
|
||||||
}
|
}
|
||||||
} elsif ( $params->{module} eq 'cataloguing' ) {
|
}
|
||||||
|
elsif ( $params->{module} eq 'cataloguing' ) {
|
||||||
# We are testing the record to avoid additem to fetch the Koha::Biblio
|
# We are testing the record to avoid additem to fetch the Koha::Biblio
|
||||||
# But in the long term we will want to get a biblio in parameter
|
# But in the long term we will want to get a biblio in parameter
|
||||||
$error = 'unknown_biblio' unless $params->{record};
|
$error = 'unknown_biblio' unless $params->{record};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
elsif ( $params and exists $params->{check} ) {
|
||||||
|
if ( $params->{check} eq 'csrf_token' ) {
|
||||||
|
$error = 'wrong_csrf_token'
|
||||||
|
unless Koha::Token->new->check_csrf(
|
||||||
|
{
|
||||||
|
session_id => scalar $query->cookie('CGISESSID'),
|
||||||
|
token => scalar $query->param('csrf_token'),
|
||||||
|
}
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
output_and_exit( $query, $cookie, $template, $error ) if $error;
|
output_and_exit( $query, $cookie, $template, $error ) if $error;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
1
koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc
Normal file
1
koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
<input type="hidden" name="csrf_token" value="[% csrf_token | html %]" />
|
Loading…
Reference in a new issue