Koha/koha-tmpl at 11bf7e7bef856d5d90126c19f897d060cb4c9d9d - Koha-community/Koha - Koha: The world's first free and open source library system

History

Jonathan Druart 11bf7e7bef Bug 17146: Fix CSRF in picture-upload.pl If an attacker can get an authenticated Koha user to visit their page with the url below, they can change or delete patrons' images /tools/picture-upload.pl?op=Delete&borrowernumber=42 Test plan: 1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42 And confirm that you get a "Wrong CSRF token" error 2/ Go on the patron detail page with a patron's image 3/ Click on the Delete link (note the csrf_token param) 4/ The image will be deleted and you are redirected to the patron detail page. Regression tests: Upload an image from the patron detail page and from the "upload patron images" tool. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>		2016-09-15 13:33:58 +00:00
..
intranet-tmpl	Bug 17146: Fix CSRF in picture-upload.pl	2016-09-15 13:33:58 +00:00
opac-tmpl	Bug 16732 - Add audio alerts (custom sound notifications) to web based self checkout	2016-09-13 17:22:33 +00:00
favicon.ico
index.html	/koha-tmpl/ is now the documentroot for opac and intranet pages (remember koha-html is deprecated and should be removed very soon)	2003-03-18 14:17:56 +00:00
intranet.html	fix for #290	2003-04-09 08:40:28 +00:00
opac.html