Koha/koha-tmpl/intranet-tmpl/prog at 11bf7e7bef856d5d90126c19f897d060cb4c9d9d - Koha-community/Koha - Koha: The world's first free and open source library system

History

Jonathan Druart 11bf7e7bef Bug 17146: Fix CSRF in picture-upload.pl If an attacker can get an authenticated Koha user to visit their page with the url below, they can change or delete patrons' images /tools/picture-upload.pl?op=Delete&borrowernumber=42 Test plan: 1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42 And confirm that you get a "Wrong CSRF token" error 2/ Go on the patron detail page with a patron's image 3/ Click on the Delete link (note the csrf_token param) 4/ The image will be deleted and you are redirected to the patron detail page. Regression tests: Upload an image from the patron detail page and from the "upload patron images" tool. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>		2016-09-15 13:33:58 +00:00
..
css	Bug 17147 [Revised] Streamline messages following batch record modification	2016-09-13 17:25:28 +00:00
en	Bug 17146: Fix CSRF in picture-upload.pl	2016-09-15 13:33:58 +00:00
img	Bug 16080 [Revised] Remove unused images from the staff client	2016-04-29 13:56:55 +00:00
js	Bug 14752 - (QA followup) Remove annoying modal, use dialog box instead	2016-09-13 17:21:05 +00:00
pdf
sound