Koha/opac/opac-messaging.pl
David Cook 649bfe1ee2
Bug 24673: Add CSRF token support to opac-messaging.pl
This patch adds CSRF token support to opac-messaging.pl,
which allows users to manually update their messaging preferences,
but prevents bad actors from tricking people into updating their
preferences from cross-site requests.

Test plan:
0. Set SMSSendDriver global system preference to "Test" if unset
1. Log into the OPAC
2. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
3. Observe that the preference and SMS number update

4. Apply the patch

5. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes
&1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444
6. Observe that you get an error message of "Wrong CSRF token" instead
of the previous behaviour
7. Navigate to a URL in your browser like the following:
http://localhost:8080/cgi-bin/koha/opac-messaging.pl
8. Update "Advance notice" to 3 and update "SMS number" to 61111111111
9. Observe that the "Advance notice" and "SMS number" fields update
correctly

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-26 11:34:28 +00:00

94 lines
3.2 KiB
Perl
Executable file

#!/usr/bin/perl
# Copyright 2008 LibLime
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use CGI qw ( -utf8 );
use C4::Auth; # checkauth, getborrowernumber.
use C4::Context;
use C4::Koha;
use C4::Circulation;
use C4::Output;
use C4::Members;
use C4::Members::Messaging;
use C4::Form::MessagingPreferences;
use Koha::Patrons;
use Koha::SMS::Providers;
use Koha::Token;
my $query = CGI->new();
unless ( C4::Context->preference('EnhancedMessagingPreferencesOPAC') and
C4::Context->preference('EnhancedMessagingPreferences') ) {
print $query->redirect("/cgi-bin/koha/errors/404.pl");
exit;
}
my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
{
template_name => 'opac-messaging.tt',
query => $query,
type => 'opac',
authnotrequired => 0,
debug => 1,
}
);
my $patron = Koha::Patrons->find( $borrowernumber ); # FIXME and if borrowernumber is invalid?
my $messaging_options = C4::Members::Messaging::GetMessagingOptions();
if ( defined $query->param('modify') && $query->param('modify') eq 'yes' ) {
die "Wrong CSRF token" unless Koha::Token->new->check_csrf({
session_id => scalar $query->cookie('CGISESSID'),
token => scalar $query->param('csrf_token'),
});
my $sms = $query->param('SMSnumber');
my $sms_provider_id = $query->param('sms_provider_id');
$patron->set({
smsalertnumber => $sms,
sms_provider_id => $sms_provider_id,
})->store;
C4::Form::MessagingPreferences::handle_form_action($query, { borrowernumber => $patron->borrowernumber }, $template);
}
C4::Form::MessagingPreferences::set_form_values({ borrowernumber => $patron->borrowernumber }, $template);
$template->param(
messagingview => 1,
SMSnumber => $patron->smsalertnumber, # FIXME This is already sent 2 lines above
SMSSendDriver => C4::Context->preference("SMSSendDriver"),
TalkingTechItivaPhone => C4::Context->preference("TalkingTechItivaPhoneNotification") );
if ( C4::Context->preference("SMSSendDriver") eq 'Email' ) {
my @providers = Koha::SMS::Providers->search();
$template->param( sms_providers => \@providers, sms_provider_id => $patron->sms_provider_id );
}
my $new_session_id = $cookie->value;
$template->param(
csrf_token => Koha::Token->new->generate_csrf({
session_id => $new_session_id,
}),
);
output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 };