David Cook
649bfe1ee2
This patch adds CSRF token support to opac-messaging.pl, which allows users to manually update their messaging preferences, but prevents bad actors from tricking people into updating their preferences from cross-site requests. Test plan: 0. Set SMSSendDriver global system preference to "Test" if unset 1. Log into the OPAC 2. Navigate to a URL in your browser like the following: http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes &1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444 3. Observe that the preference and SMS number update 4. Apply the patch 5. Navigate to a URL in your browser like the following: http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes &1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444 6. Observe that you get an error message of "Wrong CSRF token" instead of the previous behaviour 7. Navigate to a URL in your browser like the following: http://localhost:8080/cgi-bin/koha/opac-messaging.pl 8. Update "Advance notice" to 3 and update "SMS number" to 61111111111 9. Observe that the "Advance notice" and "SMS number" fields update correctly Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> |
||
|---|---|---|
| .. | ||
| bootstrap | ||
| lib | ||
| xslt | ||