Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/authorities
History
Marcel de Rooy 5a7dc0749f Bug 18019: Add CSRF protection to authorities-home.pl (op==delete) 
Without this patch, it is possible to delete authority records with URL
manipulation.
Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX]

Test plan:
[1] Go to Authorities. Search for some authorities (without links).
[2] Delete an authority. Should work.
[3] Apply patch.
[4] Construct an URL like above to delete another authority. Should fail.
    Under Plack this results in an internal server error, the log tells
    you: Wrong CSRF token.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Amended the test plan.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 13:08:24 +00:00
..
auth_finder.pl Bug 16154: CGI->multi_param - Force scalar context 2016-04-26 23:16:43 +00:00
authorities-home.pl Bug 18019: Add CSRF protection to authorities-home.pl (op==delete) 2017-03-31 13:08:24 +00:00
authorities-list.pl Bug 12478: make things using SimpleSearch use the new version 2016-04-26 20:20:07 +00:00
authorities.pl Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00
blinddetail-biblio-search.pl Bug 17118: (follow-up 15381) Fix regression when clearing a linked authority 2016-09-02 14:01:34 +00:00
detail-biblio-search.pl Bug 15381: Remove GetAuthType and GetAuthTypeCode 2015-12-31 18:59:02 +00:00
detail.pl Bug 15381: Remove GetAuthType and GetAuthTypeCode 2015-12-31 18:59:02 +00:00
export.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
merge.pl Bug 16018: Merge.pl code cleanup 2017-02-17 13:32:40 +00:00
merge_ajax.pl Bug 14589: Adjust authorities_merge_ajax and replace some indirect syntax 2015-11-02 12:49:13 -03:00
ysearch.pl Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00