Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/opac/opac-search-history.pl
Jonathan Druart f01720808a Bug 16593: Do not allow patrons to delete search history of others patrons 
A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.

To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB

Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface

Reported by Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 11:47:29 +00:00

160 lines
5 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# Copyright 2013 BibLibre SARL
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use C4::Auth qw(:DEFAULT get_session);
use CGI qw ( -utf8 );
use C4::Context;
use C4::Output;
use C4::Log;
use C4::Items;
use C4::Debug;
use C4::Search::History;
use URI::Escape;
use POSIX qw(strftime);
my $cgi = new CGI;
# Getting the template and auth
my ($template, $loggedinuser, $cookie) = get_template_and_user(
{
template_name => "opac-search-history.tt",
query => $cgi,
type => "opac",
authnotrequired => 1,
flagsrequired => {borrowers => 1},
debug => 1,
}
);
my $type = $cgi->param('type');
my $action = $cgi->param('action') || q{};
my $previous = $cgi->param('previous');
# If the user is not logged in, we deal with the session
unless ( $loggedinuser ) {
# Deleting search history
if ( $action eq 'delete') {
# Deleting session's search history
my @id = $cgi->multi_param('id');
my $all = not scalar( @id );
my $type = $cgi->param('type');
my @searches = ();
unless ( $all ) {
@searches = C4::Search::History::get_from_session({ cgi => $cgi });
if ( $type ) {
@searches = map { $_->{type} ne $type ? $_ : () } @searches;
}
if ( @id ) {
@searches = map { my $search = $_; ( grep {/^$search->{id}$/} @id ) ? () : $_ } @searches;
}
}
C4::Search::History::set_to_session({ cgi => $cgi, search_history => \@searches });
# Redirecting to this same url so the user won't see the search history link in the header
print $cgi->redirect(-uri => '/cgi-bin/koha/opac-search-history.pl');
# Showing search history
} else {
# Getting the searches from session
my @current_searches = C4::Search::History::get_from_session({
cgi => $cgi,
});
my @current_biblio_searches = map {
$_->{type} eq 'biblio' ? $_ : ()
} @current_searches;
my @current_authority_searches = map {
$_->{type} eq 'authority' ? $_ : ()
} @current_searches;
$template->param(
current_biblio_searches => \@current_biblio_searches,
current_authority_searches => \@current_authority_searches,
);
}
} else {
# And if the user is logged in, we deal with the database
my $dbh = C4::Context->dbh;
# Deleting search history
if ( $action eq 'delete' ) {
my @id = $cgi->multi_param('id');
if ( @id ) {
C4::Search::History::delete(
{
userid => $loggedinuser,
id => [ $cgi->param('id') ],
}
);
} else {
C4::Search::History::delete(
{
userid => $loggedinuser,
}
);
}
# Redirecting to this same url so the user won't see the search history link in the header
print $cgi->redirect(-uri => '/cgi-bin/koha/opac-search-history.pl');
# Showing search history
} else {
my $current_searches = C4::Search::History::get({
userid => $loggedinuser,
sessionid => $cgi->cookie("CGISESSID")
});
my @current_biblio_searches = map {
$_->{type} eq 'biblio' ? $_ : ()
} @$current_searches;
my @current_authority_searches = map {
$_->{type} eq 'authority' ? $_ : ()
} @$current_searches;
my $previous_searches = C4::Search::History::get({
userid => $loggedinuser,
sessionid => $cgi->cookie("CGISESSID"),
previous => 1
});
my @previous_biblio_searches = map {
$_->{type} eq 'biblio' ? $_ : ()
} @$previous_searches;
my @previous_authority_searches = map {
$_->{type} eq 'authority' ? $_ : ()
} @$previous_searches;
$template->param(
current_biblio_searches => \@current_biblio_searches,
current_authority_searches => \@current_authority_searches,
previous_biblio_searches => \@previous_biblio_searches,
previous_authority_searches => \@previous_authority_searches,
);
}
}
$template->param(searchhistoryview => 1);
output_html_with_http_headers $cgi, $cookie, $template->output, undef, { force_no_caching => 1 };
View git blame Copy permalink