From ab2774aaabb47250c946df984bf56dc7d90b5a08 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Mon, 24 Jan 2022 10:24:08 +0000 Subject: [PATCH] Bug 29931: [21.05.x] Check cookie status before continuing Test plan: Logout from staff. Try to run plugins-enable (you should have some active plugin). Like: https://yourserver:staffport/cgi-bin/koha/plugins/plugins-enable.pl?class=Koha::Plugin::Test&method=enable Replace class and method as appropriate. Verify that with this patch, you will be redirected to 401 page. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart Signed-off-by: Jonathan Druart Bug 29931: (follow-up) Similar thing in opac-patron-image.pl Although less harmful indeed. No borrowernumber, no image. Signed-off-by: Marcel de Rooy Tested: logged in, logged out, prefs toggled. All fine. Signed-off-by: Jonathan Druart Bug 29931: (follow-up) Fix svc/checkouts and return_claims too Adding the same auth_status check here too. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart Signed-off-by: Wainui Witika-Park --- opac/opac-patron-image.pl | 13 +++++++------ plugins/plugins-enable.pl | 7 +++++-- svc/checkouts | 7 +++++-- svc/return_claims | 7 +++++-- 4 files changed, 22 insertions(+), 12 deletions(-) diff --git a/opac/opac-patron-image.pl b/opac/opac-patron-image.pl index 6c24e48420..4db1a91421 100755 --- a/opac/opac-patron-image.pl +++ b/opac/opac-patron-image.pl @@ -32,13 +32,14 @@ unless (C4::Context->preference('OPACpatronimages')) { exit; } -my $needed_flags; -my %cookies = CGI::Cookie->fetch; -my $sessid = $cookies{'CGISESSID'}->value; -my ($auth_status, $auth_sessid) = check_cookie_auth($sessid, $needed_flags); -my $borrowernumber = C4::Context->userenv->{'number'}; +my ($auth_status) = check_cookie_auth( $query->cookie('CGISESSID') ); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} -my $patron_image = Koha::Patron::Images->find($borrowernumber); +my $userenv = C4::Context->userenv; +my $patron_image = $userenv ? Koha::Patron::Images->find( $userenv->{number} ) : undef; if ($patron_image) { print $query->header( diff --git a/plugins/plugins-enable.pl b/plugins/plugins-enable.pl index 30d1e3eaad..deb4cac525 100755 --- a/plugins/plugins-enable.pl +++ b/plugins/plugins-enable.pl @@ -28,8 +28,11 @@ die("Koha plugins are disabled!") my $input = new CGI; -my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID'), { plugins => 'manage' } ); +my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { plugins => 'manage' } ); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} my $class = $input->param('class'); my $method = $input->param('method'); diff --git a/svc/checkouts b/svc/checkouts index 16fe6cf9f0..72d2ea48c0 100755 --- a/svc/checkouts +++ b/svc/checkouts @@ -33,8 +33,11 @@ use Koha::ItemTypes; my $input = new CGI; -my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID')); +my ( $auth_status, $sessionID ) = check_cookie_auth( $input->cookie('CGISESSID')); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} my $session = get_session($sessionID); my $userid = $session->param('id'); diff --git a/svc/return_claims b/svc/return_claims index e10d5f174e..56e9faf779 100755 --- a/svc/return_claims +++ b/svc/return_claims @@ -31,8 +31,11 @@ use Koha::Patrons; my $input = new CGI; -my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID') ); +my ( $auth_status, $sessionID ) = check_cookie_auth( $input->cookie('CGISESSID') ); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} my $session = get_session($sessionID); my $userid = $session->param('id'); -- 2.39.5