Koha/members
Jonathan Druart 06d1259e56 Bug 16992: FIX CSRF in member-password.pl
If an attacker can get an authenticated Koha user to visit their page with the
url below, they can change patrons' passwords
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

Test plan:

Trigger
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:34:02 +00:00
..
boraccount.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
default_messageprefs.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
deletemem.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
discharge.pl Bug 15823: Can still access patron discharge slip without having the syspref on 2016-05-06 04:20:48 +00:00
discharges.pl Bug 15548: Move new patron related code to Patron* 2016-03-03 14:38:26 -07:00
files.pl Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
guarantor_search.pl Bug 15109: Make name the default sort order for all patron searches 2015-11-17 09:49:21 -03:00
mancredit.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
maninvoice.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
member-flags.pl Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00
member-password.pl Bug 16992: FIX CSRF in member-password.pl 2016-08-10 13:34:02 +00:00
member.pl Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
memberentry.pl Bug 16993: Fix CSRF in memberentry.pl 2016-08-10 13:25:25 +00:00
members-home.pl Bug 15548: Move new patron related code to Patron* 2016-03-03 14:38:26 -07:00
members-update-do.pl Bug 15548: Move new patron related code to Patron* 2016-03-03 14:38:26 -07:00
members-update.pl Bug 15548: Move new patron related code to Patron* 2016-03-03 14:38:26 -07:00
mod_debarment.pl Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
moremember.pl Bug 16849: Move IsDebarred to Koha::Patron->is_debarred 2016-07-15 18:08:14 +00:00
nl-search.pl Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
notices.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
patronimage.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
pay.pl Bug 14605 - Corrects the individual fine's description 2016-06-10 17:34:08 +00:00
paycollect.pl Bug 14605 - Corrects the individual fine's description 2016-06-10 17:34:08 +00:00
print_overdues.pl Bug 12933: (QA followup) Rename GetOverdues to GetOverduesForPatron 2015-11-04 12:41:29 -03:00
printfeercpt.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
printinvoice.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
printslip.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
purchase-suggestions.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
readingrec.pl Bug 3669: Moving 'Add a new message' into a pop up box and adding to patron toolbar 2016-06-24 13:20:13 +00:00
routing-lists.pl Bug 3669: Moving 'Add a new message' into a pop up box and adding to patron toolbar 2016-06-24 13:20:13 +00:00
setstatus.pl Bug 14910: Redirect to the circulation module after a renew 2015-10-02 14:22:16 -03:00
statistics.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
summary-print.pl Bug 15542: Always display the patron's info the same way. 2016-01-23 19:15:08 +00:00
update-child.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00