Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members
History
Jonathan Druart 11bf7e7bef Bug 17146: Fix CSRF in picture-upload.pl 
If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42

Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.

Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-15 13:33:58 +00:00
..
tables Bug 17076 - Format fines in patron search results table 2016-08-10 14:05:48 +00:00
boraccount.tt Bug 16888: Add Font Awesome Icons to Members 2016-07-15 18:02:48 +00:00
deletemem.tt Bug 17097: here the var is 'member', not 'borrowernumber' 2016-08-18 15:55:24 +00:00
discharge.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
discharges.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
files.tt
mancredit.tt
maninvoice.tt
member-flags.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
member-password.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
member.tt Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
memberentrygen.tt Bug 15758: Koha::Libraries - Remove GetBranchesLoop 2016-09-08 14:36:02 +00:00
members-update.tt Bug 16990: Display branch names instead of code in patron mod requests 2016-09-02 14:44:03 +00:00
moremember-brief.tt Bug 16730 - Use member-display-address-style*-includes in moremember-brief.tt 2016-07-08 14:41:31 +00:00
moremember-print.tt Bug 17100: Restore previous logic 2016-08-18 16:14:28 +00:00
moremember-receipt.tt Bug 16218: printfeercpt.tt (and others) does not include jQuery 2016-04-29 14:14:54 +00:00
moremember.tt Bug 17146: Fix CSRF in picture-upload.pl 2016-09-15 13:33:58 +00:00
nl-search.tt
notices.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
pay.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
paycollect.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
printfeercpt.tt Bug 16218: printfeercpt.tt (and others) does not include jQuery 2016-04-29 14:14:54 +00:00
printinvoice.tt Bug 16241 - Move staff client CSS out of language directory 2016-04-29 13:54:37 +00:00
purchase-suggestions.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
readingrec.tt Bug 16478: Fix checkout history tabs - intranet 2016-05-23 17:22:04 +00:00
routing-lists.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
statistics.tt Bug 15758: Koha::Libraries - Remove GetBranchName 2016-09-08 14:36:01 +00:00
update-child.tt Bug 15407: Koha::Patron::Categories - replace GetborCatFromCatType 2016-09-08 13:29:22 +00:00