Koha/tools
Jonathan Druart 6f5e2f8a86 Bug 17116: Fix CSRF in import_borrowers.pl
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' information

The exploit can be simulated triggering
  /tools/import_borrowers.pl?uploadborrowers=42

In that case it won't do anything wrong, but it you POST a valid file,
it could.

Test plan:
Trigger the url above
=> Without this patch, you will the result page
=> With this patch, you will get the "Wrong CSRF token" error.

Regression test:
Import a valid file from the import patron form, everything should go
fine.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-02 13:47:02 +00:00
..
csv-profiles
quotes Bug 15684: Fix encoding issues with quote upload 2016-02-04 00:14:43 +00:00
ajax-inventory.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
automatic_item_modification_by_age.pl Bug 16889: Remove C4::Items::biblioitems_columns and use Koha::Biblioitems->columns instead 2016-07-15 18:12:13 +00:00
background-job-progress.pl Bug 14589: Adjust authorities_merge_ajax and replace some indirect syntax 2015-11-02 12:49:13 -03:00
batch_delete_records.pl bug 14504: (QA followup) fixing DelItemCheck arguments 2016-08-26 12:07:26 +00:00
batch_record_modification.pl Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00
batch_records_ajax.pl Bug 11944: use CGI( -utf8 ) everywhere 2015-01-13 13:07:21 -03:00
batchMod.pl bug 14504: (QA followup) fixing DelItemCheck arguments 2016-08-26 12:07:26 +00:00
cleanborrowers.pl Bug 15023: (followup) Remove warnings 2016-08-24 11:37:02 +00:00
copy-holidays.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
csv-profiles.pl Bug 15451: Better error handling 2016-07-22 17:18:37 +00:00
exceptionHolidays.pl Bug 16154: Fix some other occurrences 2016-04-26 23:16:44 +00:00
export.pl Bug 15451: Do not considered a Resultset as a Result 2016-07-22 17:18:36 +00:00
holidays.pl Bug 16154: Fix some other occurrences 2016-04-26 23:16:44 +00:00
import_borrowers.pl Bug 17116: Fix CSRF in import_borrowers.pl 2016-09-02 13:47:02 +00:00
inventory.pl Bug 16154: Fix some other occurrences 2016-04-26 23:16:44 +00:00
koha-news.pl Bug 16550: Clean the tests 2016-05-23 17:37:48 +00:00
letter.pl Bug 14757: Remove obsolete occurrence of is_tt 2016-07-08 13:47:43 +00:00
manage-marc-import.pl Bug 9259: Ability to delete a staged file once it has been cleaned 2016-07-08 13:43:53 +00:00
marc_modification_templates.pl Bug 16148 - Revised layout and behavior of marc modification template management 2016-06-17 16:11:43 +00:00
modborrowers.pl Bug 16681 - Allow update of opacnote via batch patron modification tool 2016-07-15 18:07:16 +00:00
newHolidays.pl Bug 14954: Remove C4::Dates from holiday related files in folder tools 2015-11-17 23:44:31 -03:00
overduerules.pl Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00
picture-upload.pl Bug 15635: Koha::Patron::Images - Remove GetPatronImage 2016-03-04 12:54:15 +00:00
quotes-upload.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
quotes.pl Bug 9978: Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:38 -03:00
scheduler.pl Bug 16154: Fix some other occurrences 2016-04-26 23:16:44 +00:00
showdiffmarc.pl Bug 15005: Replace $ENV{SCRIPT_NAME} with the hardcoded script paths 2015-10-19 09:36:43 -03:00
stage-marc-import.pl Bug 15005: Replace $ENV{SCRIPT_NAME} with the hardcoded script paths 2015-10-19 09:36:43 -03:00
tools-home.pl Bug 9978: (followup) Replace license header with the correct license (GPLv3+) 2015-04-20 09:59:43 -03:00
upload-cover-image.pl Bug 14321: Integrate Upload.pm into Koha 2015-09-25 12:02:52 -03:00
upload-file.pl Bug 14686: [QA Follow-up] Move allows_add_by to Upload.pm 2016-04-27 16:14:18 +00:00
upload.pl Bug 14686: Add Upload to Tools menu 2016-04-27 16:14:17 +00:00
viewlog.pl Bug 16829: Add 'interface' to the log viewer 2016-08-17 18:01:49 +00:00