]> git.koha-community.org Git - koha.git/commit
Bug 17116: Fix CSRF in import_borrowers.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 12 Aug 2016 10:36:06 +0000 (11:36 +0100)
committerMason James <mtj@kohaaloha.com>
Wed, 3 May 2017 02:28:37 +0000 (14:28 +1200)
commite1a72e9d21a1fab90257b5fde4579e2b6c6a6ee9
treee0940f4383f64f293d66256d513e516090130b78
parentfd5e11dad2a5c918651ca895c781d5f3b6fdf2d8
Bug 17116: Fix CSRF in import_borrowers.pl

If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' information

The exploit can be simulated triggering
  /tools/import_borrowers.pl?uploadborrowers=42

In that case it won't do anything wrong, but it you POST a valid file,
it could.

Test plan:
Trigger the url above
=> Without this patch, you will the result page
=> With this patch, you will get the "Wrong CSRF token" error.

Regression test:
Import a valid file from the import patron form, everything should go
fine.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
tools/import_borrowers.pl