From eec0fb831a55b60ae847fe39d102253d82b03f4f Mon Sep 17 00:00:00 2001
From: Lucas Gass <lucas@bywatersolutions.com>
Date: Fri, 28 Jul 2023 14:51:25 +0000
Subject: [PATCH] Bug 34368: Add CSRF token to Content Management pages

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 .../prog/en/modules/tools/additional-contents.tt              | 2 ++
 tools/additional-contents.pl                                  | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
index 5c68c3896a..f8b1f6e478 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
@@ -186,6 +186,7 @@
     </div>
 
     <form id="add_additional_content" method="post" action="/cgi-bin/koha/tools/additional-contents.pl" class="validate">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="op" value="add_validate" />
         <input type="hidden" name="category" value="[% category | html %]" />
         <input type="hidden" name="code" value="[% additional_content.code | html %]" />
@@ -412,6 +413,7 @@
             <fieldset class="action"><input type="submit" class="button" value="Delete selected" /></fieldset>
         </form>
         <form action="/cgi-bin/koha/tools/additional-contents.pl" method="post" id="delete_single">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" id="del_op" name="op" value="delete_confirmed" />
             <input type="hidden" id="del_category" name="category" value="[% category | html %]" />
             <input type="hidden" id="del_ids" name="ids" />
diff --git a/tools/additional-contents.pl b/tools/additional-contents.pl
index de36d5d8e6..71c03ae55d 100755
--- a/tools/additional-contents.pl
+++ b/tools/additional-contents.pl
@@ -28,7 +28,7 @@ use C4::Auth qw(get_template_and_user);
 use C4::Koha;
 use C4::Context;
 use C4::Log qw( logaction );
-use C4::Output qw(output_html_with_http_headers);
+use C4::Output qw(output_html_with_http_headers output_and_exit_if_error);
 use C4::Languages qw(getTranslatedLanguages);
 use Koha::DateUtils qw( dt_from_string output_pref );
 
@@ -84,6 +84,7 @@ if ( $op eq 'add_form' ) {
     );
 }
 elsif ( $op eq 'add_validate' ) {
+    output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
     my $location   = $cgi->param('location');
     my $code       = $cgi->param('code');
     my $branchcode = $cgi->param('branchcode') || undef;
@@ -202,6 +203,7 @@ elsif ( $op eq 'add_validate' ) {
     }
 }
 elsif ( $op eq 'delete_confirmed' ) {
+    output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
     my @ids = $cgi->multi_param('ids');
     my $deleted = eval {
 
-- 
2.39.5