Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/tools
History
Jonathan Druart 11bf7e7bef Bug 17146: Fix CSRF in picture-upload.pl 
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42

Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.

Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:33:58 +00:00
..
automatic_item_modification_by_age.tt Bug 16437 - Automatic item modifications by age needs prettying 2016-05-31 11:57:12 +00:00
batch_delete_records.tt Bug 16949: Simplify the checkbox checked condition 2016-09-13 17:24:38 +00:00
batch_record_modification.tt Bug 17147 [Revised] Streamline messages following batch record modification 2016-09-13 17:25:28 +00:00
batchMod-del.tt Bug 16538: Improve the style of progress bars 2016-07-15 18:06:08 +00:00
batchMod-edit.tt Bug 13501: Move "Required" and checkbox after input/select 2016-09-02 16:25:04 +00:00
batchMod.tt Bug 10887: Batch item deletion -- doesn't need Use default values section 2015-04-08 11:09:08 -03:00
cleanborrowers.tt Bug 16276: Make the batch patron deletion tool deal with last_seen 2016-09-13 17:27:42 +00:00
csv-profiles.tt Bug 15451: Better error handling 2016-07-22 17:18:37 +00:00
export.tt Bug 15758: Koha::Libraries - Remove GetBranches 2016-09-08 14:36:03 +00:00
holidays.tt Bug 15758: Koha::Libraries - Remove GetBranches 2016-09-08 14:36:03 +00:00
import_borrowers.tt Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
inventory.tt Bug 15758: Koha::Libraries - Remove GetBranches 2016-09-08 14:36:03 +00:00
koha-news.tt Bug 17183: Check if any checkboxes have been checked for 'Delete Selected' button in Koha News 2016-09-09 14:02:58 +00:00
letter.tt Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
manage-marc-import.tt Bug 16937 [Revised] Remove "onclick" from the manage staged MARC records template 2016-09-09 13:17:09 +00:00
marc_modification_templates.tt Bug 16148 [Follow-up] - Use Font Awesome for arrows instead of images 2016-06-17 16:11:44 +00:00
modborrowers.tt Bug 16938: Remove the use of "onclick" from batch patrons modification template 2016-09-09 13:54:48 +00:00
overduerules.tt Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
picture-upload.tt Bug 17146: Fix CSRF in picture-upload.pl 2016-09-15 13:33:58 +00:00
quotes-upload.tt Bug 16513 - Improvements and fixes for quote upload process 2016-06-24 13:47:34 +00:00
quotes.tt Bug 16513 - Improvements and fixes for quote upload process 2016-06-24 13:47:34 +00:00
scheduler.tt
showdiffmarc.tt Bug 11876 [Follow-up] Add a diff view to staged MARC Records 2014-10-31 14:25:11 -03:00
stage-marc-import.tt Bug 10407: Add marcxml import (follow-up) 2016-09-02 16:00:13 +00:00
tools-home.tt Bug 16454: Use 'inventory' instead of 'inventory/stocktaking' 2016-05-16 17:42:39 +00:00
upload-images.tt Bug 16538: Improve the style of progress bars 2016-07-15 18:06:08 +00:00
upload.tt Bug 16727: Clarify upload category note 2016-08-04 21:29:51 +00:00
viewlog.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00