Jonathan Druart
6f5e2f8a86
If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' information The exploit can be simulated triggering /tools/import_borrowers.pl?uploadborrowers=42 In that case it won't do anything wrong, but it you POST a valid file, it could. Test plan: Trigger the url above => Without this patch, you will the result page => With this patch, you will get the "Wrong CSRF token" error. Regression test: Import a valid file from the import patron form, everything should go fine. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> |
||
---|---|---|
.. | ||
intranet-tmpl | ||
opac-tmpl | ||
favicon.ico | ||
index.html | ||
intranet.html | ||
opac.html |