Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
Jonathan Druart 0c3c162f76 Bug 17905: FIX CSRF in member-flags
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-30 11:24:12 +00:00

178 lines
7 KiB
Text

[% USE Branches %]
[% PROCESS 'permissions.inc' %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; Set permissions for [% surname %], [% firstname %]</title>
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/treeview/jquery.treeview.css"/>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/javascript" src="[% interface %]/lib/jquery/plugins/jquery.treeview.pack.js"></script>
<!-- set up tree -->
<script type="text/javascript">
$(document).ready(function() {
$("#permissionstree").treeview({animated: "fast", collapsed: true});
// Enforce Superlibrarian Privilege Mutual Exclusivity
if($('input[id="flag-0"]:checked').length){
if ($('input[name="flag"]:checked').length > 1){
alert(_("Inconsistency detected! The superlibrarian privilege is mutually exclusive of other privileges, as it includes them all. This patron's privileges will now be reset to include only superlibrarian."));
}
$('input[name="flag"]').each(function() {
if($(this).attr('id') != "flag-0"){
$(this).prop('disabled', true);
$(this).prop('checked', false);
}
});
}
$('input#flag-0').click(function() {
if($('input[id="flag-0"]:checked').length){
$('input[name="flag"]').each(function() {
if($(this).attr('id') != "flag-0"){
$(this).prop('disabled', true);
$(this).prop('checked', false);
}
});
}
else {
$('input[name="flag"]').each(function() {
$(this).prop('disabled', false);
});
}
});
$(".flag").on("change",function(){
if( $(this).hasClass("parent") ){
toggleChildren(this);
} else {
toggleParent(this);
}
});
});
// manage checking/unchecking parent permissions
var originalChildStates = {}; /* keep track of subpermission checkbox values
so that user can recover from accidentally
toggling a parent/module permission */
function selectChildren(parentInput) {
var childListId = parentInput.id + '-children';
var list = document.getElementById(childListId);
var children = [];
if (list) {
var inputs = list.getElementsByTagName('input');
for (var i = 0; i < inputs.length; i++) {
if (inputs[i].type == 'checkbox') {
children.push(inputs[i]);
}
}
}
return children;
}
function toggleChildren(parentInput) {
var children = selectChildren(parentInput);
if (children.length == 0) {
return;
}
var checked = parentInput.checked;
if (checked && parentInput.parentNode.className == 'expandable') {
/* expand the tree */
$(".hitarea", parentInput.parentNode).click();
}
for (var i = 0; i < children.length; i++) {
if (checked) {
originalChildStates[children[i].id] = children[i].checked;
children[i].checked = checked;
} else {
if (children[i].id in originalChildStates) {
children[i].checked = originalChildStates[children[i].id];
} else {
children[i].checked = checked;
}
}
}
}
function toggleParent(childInput) {
originalChildStates[childInput.id] = childInput.checked;
if (childInput.checked) {
return;
}
var parentId = childInput.parentNode.parentNode.id.replace(/-children$/, '');;
var parentInput = document.getElementById(parentId);
if (parentInput) {
parentInput.checked = false;
}
}
</script>
</head>
<body id="pat_member-flags" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> &rsaquo; Set permissions for [% surname %], [% firstname %]</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'members-toolbar.inc' %]
<form method="post" action="/cgi-bin/koha/members/member-flags.pl">
<input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="member" id="borrowernumber" value="[% borrowernumber %]" />
<input type="hidden" name="newflags" value="1" />
<h1>Set permissions for [% surname %], [% firstname %]</h1>
<!-- <ul id="permissionstree"><li class="root">All privileges<ul> -->
<ul id="permissionstree" class="treeview-grey">
<!-- <li class="folder-close">One level down<ul> -->
[% FOREACH loo IN loop %]
[% IF ( loo.expand ) %]
<li class="open">
[% ELSE %]
<li>
[% END %]
[% IF ( loo.checked ) %]
<input type="checkbox" class="flag parent" id="flag-[% loo.bit %]" name="flag" value="[% loo.flag %]" checked="checked" />
[% ELSE %]
<input type="checkbox" class="flag parent" id="flag-[% loo.bit %]" name="flag" value="[% loo.flag %]" />
[% END %]
<label class="permissioncode" for="flag-[% loo.bit %]">[% loo.flag %]</label>
<span class="permissiondesc">[% PROCESS main_permissions name=loo.flag %]</span>
[% IF ( loo.sub_perm_loop ) %]
<ul id="flag-[% loo.bit %]-children">
[% FOREACH sub_perm_loo IN loo.sub_perm_loop %]
<li>
[% IF ( sub_perm_loo.checked ) %]
<input type="checkbox" class="flag child" id="[% sub_perm_loo.id %]" name="flag" value="[% sub_perm_loo.perm %]" checked="checked" />
[% ELSE %]
<input type="checkbox" class="flag child" id="[% sub_perm_loo.id %]" name="flag" value="[% sub_perm_loo.perm %]" />
[% END %]
<label class="permissioncode" for="[% sub_perm_loo.id %]">[% sub_perm_loo.code %]</label>
<span class="permissiondesc">[% PROCESS sub_permissions name=sub_perm_loo.code %]</span>
</li>
[% END %]
</ul>
</li>
[% ELSE %]
</li>
[% END %]
[% END %]
<!-- </ul></li> -->
<!-- </ul></li></ul> -->
</ul>
<fieldset class="action"><input type="submit" value="Save" /> <a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">Cancel</a></fieldset>
</form>
</div>
</div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]