From 077636977606357d0634c7cad81f5eb38f6bbce3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 5 Apr 2024 08:58:06 +0200 Subject: [PATCH] Bug 36532: Protect opac-dismiss-message.pl from malicious usages Really bad design, NEVER retrieve the logged in user from the CGI param! See comment 1 for more info Signed-off-by: Owen Leonard Signed-off-by: David Cook Signed-off-by: Tomas Cohen Arazi --- .../opac-tmpl/bootstrap/en/includes/opac-note.inc | 1 - opac/opac-dismiss-message.pl | 12 ++++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc index 71cea64f55..4d995b49b8 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc @@ -10,7 +10,6 @@
[% INCLUDE 'csrf-token.inc' %] -
diff --git a/opac/opac-dismiss-message.pl b/opac/opac-dismiss-message.pl index 9c3efe6b25..9ee8f61eb7 100755 --- a/opac/opac-dismiss-message.pl +++ b/opac/opac-dismiss-message.pl @@ -36,10 +36,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( } ); -my $patron_id = $query->param('patron_id'); -my $patron = Koha::Patrons->find( $patron_id ); -my $message_id = $query->param('message_id'); -my $message = $patron->messages->find( $message_id ); +my $logged_in_user = Koha::Patrons->find($borrowernumber); +my $message_id = $query->param('message_id'); +my $message = $logged_in_user->messages->find($message_id); + +unless ($message) { + print $query->redirect("/cgi-bin/koha/errors/404.pl"); + exit; +} unless ( $op =~ /^cud-/ && $message ) { # exit early -- 2.39.5