Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Main Koha release repository https://koha-community.org
37770 commits 35 branches 616 tags 1.8 GiB
Perl 45.6%
JavaScript 39.3%
HTML 7.2%
XSLT 3.7%
Vue 1.4%
Other 2.3%
Find a file
David Cook 649bfe1ee2
Bug 24673: Add CSRF token support to opac-messaging.pl 
This patch adds CSRF token support to opac-messaging.pl,
which allows users to manually update their messaging preferences,
but prevents bad actors from tricking people into updating their
preferences from cross-site requests.

Test plan:
0. Set SMSSendDriver global system preference to "Test" if unset
1. Log into the OPAC
2. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
3. Observe that the preference and SMS number update

4. Apply the patch

5. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
6. Observe that you get an error message of "Wrong CSRF token" instead
of the previous behaviour
7. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl
8. Update "Advance notice" to 3 and update "SMS number" to 61111111111
9. Observe that the "Advance notice" and "SMS number" fields update
correctly

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-26 11:34:28 +00:00
acqui Bug 24158: Convert actual cost in an other currency when receiving 2020-03-25 13:52:05 +00:00
admin Bug 23590: (QA follow-up) Fix some problems created by recent changes and updatedatabase statement 2020-03-25 09:35:24 +00:00
api/v1 Bug 24476: Rename autorenewal to autorenew_checkouts 2020-03-24 11:23:54 +00:00
authorities Bug 24545: Fix license statements 2020-02-24 13:31:26 +00:00
basket
C4 Bug 24828: Add ability to specify cash register in SIP config 2020-03-25 13:51:02 +00:00
catalogue Bug 23463: Replace ModItem with Koha::Item->store 2020-03-23 09:26:30 +00:00
cataloguing Bug 22098: (QA follow-up) Improving documentation 2020-03-24 10:55:59 +00:00
circ Bug 24837: Rename selectbranchprinter.pl to set-library.pl 2020-03-24 11:07:22 +00:00
clubs
course_reserves
debian Bug 24052: Add koha_xslt_security to koha-conf.xml 2020-03-24 10:42:23 +00:00
docs
errors Bug 24545: Fix license statements 2020-02-24 13:31:26 +00:00
etc Bug 24828: Add ability to specify cash register in SIP config 2020-03-25 13:51:02 +00:00
ill Bug 23112: Add circulation to ILL requests 2020-03-10 10:58:58 +00:00
installer Bug 23590: Add notice template for translated installer files 2020-03-25 11:49:27 +00:00
Koha Bug 24455: Add JS functions to format date and datetime strings 2020-03-25 13:54:17 +00:00
koha-tmpl Bug 24673: Add CSRF token support to opac-messaging.pl 2020-03-26 11:34:28 +00:00
labels Bug 24735: Remove QueryParser-related code 2020-03-02 11:13:03 +00:00
members Bug 24476: Allow patrons to opt out of auto-renewal 2020-03-24 11:23:47 +00:00
misc Bug 24476: Rename autorenewal to autorenew_checkouts 2020-03-24 11:23:54 +00:00
offline_circ Bug 23463: Replace ModItem with Koha::Item->store 2020-03-23 09:26:30 +00:00
opac Bug 24673: Add CSRF token support to opac-messaging.pl 2020-03-26 11:34:28 +00:00
patron_lists
patroncards Bug 24545: Fix license statements 2020-02-24 13:31:26 +00:00
plugins Bug 23975: (follow-up) Don't rely on save_to being present 2020-03-03 09:19:04 +00:00
pos Bug 24492: (RM follow-up) Redirect to correct page after cashup 2020-03-05 14:16:58 +00:00
reports Bug 20443: Use search_with_library_limits for attribute types 2020-03-23 13:49:22 +00:00
reserve Bug 24185: Make holds page fast when 'on shelf holds' set to 'If all unavailable' 2020-03-25 09:40:58 +00:00
reviews
rotating_collections
serials Bug 23463: Replace ModItem with Koha::Item->store 2020-03-23 09:26:30 +00:00
services
skel
suggestion Bug 23590: Create a separate template notice NOTIFY_MANAGER 2020-03-25 09:35:46 +00:00
svc Bug 23463: Replace ModItem with Koha::Item->store 2020-03-23 09:26:30 +00:00
t Bug 24801: Display all the libraries - Selenium fix 2020-03-26 10:07:46 +00:00
tags Bug 11529: Add templates for biblio title display. Unify display. 2019-08-05 15:03:19 +01:00
tmp/modified_authorities
tools Bug 20443: Use search_with_library_limits for attribute types 2020-03-23 13:49:22 +00:00
virtualshelves
xt Bug 24583: adjust xt/sample_notices.t 2020-03-09 15:19:01 +00:00
.editorconfig Bug 24774: Set JSON indentation of 2 spaces in .editorconfig 2020-03-19 09:24:52 +00:00
.eslintrc.json
.gitignore
.htaccess
.mailmap
.scss-lint.yml
about.pl Bug 24735: Remove QueryParser-related code 2020-03-02 11:13:03 +00:00
changelanguage.pl
cpanfile Bug 24573: Add missing dependencies to cpanfile 2020-03-06 09:58:54 +00:00
fix-perl-path.PL
gulpfile.js
help.pl
INSTALL
Koha.pm Bug 23590: DBRev 19.12.00.055 2020-03-25 09:38:51 +00:00
koha_perl_deps.pl Bug 24545: Fix license statements 2020-02-24 13:31:26 +00:00
kohaversion.pl
LICENSE
mainpage.pl
Makefile.PL
MANIFEST.SKIP
package.json
README
README.md
README.robots
rewrite-config.PL
yarn.lock

README.md

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo