From e038ec2709080faaa76c29334bfcffbd00f74a9c Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Thu, 27 Jul 2023 07:45:57 -0400 Subject: [PATCH] Bug 30524: (QA follow-up) Only generate CSRF token if it will be used This patch avoids generating CSRF tokens unless the csrf-token.inc file is included in the template. Passed token doesn't need HTML escaped. The docs for WWW::CSRF state: The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the Time option). Signed-off-by: Tomas Cohen Arazi (cherry picked from commit ddf1eb6cef14da365675890920ff72f010c59527) Signed-off-by: Fridolin Somers (cherry picked from commit 73ca151686b682aaa2b950ccbc89fcec14514112) Signed-off-by: Matt Blenkinsop (cherry picked from commit b1bd7ec29a0febddc210dbdc3bef0a78e37c7719) --- C4/Auth.pm | 1 - Koha/Template/Plugin/Koha.pm | 27 +++++++++++++++++++ .../prog/en/includes/csrf-token.inc | 4 ++- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 24ddc6c27a..bb3f661b14 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -303,7 +303,6 @@ sub get_template_and_user { $template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber $template->param( logged_in_user => $patron ); $template->param( sessionID => $sessionID ); - $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $sessionID })); if ( $in->{'type'} eq 'opac' ) { require Koha::Virtualshelves; diff --git a/Koha/Template/Plugin/Koha.pm b/Koha/Template/Plugin/Koha.pm index 5e7a303f70..ec5f975eb7 100644 --- a/Koha/Template/Plugin/Koha.pm +++ b/Koha/Template/Plugin/Koha.pm @@ -22,6 +22,7 @@ use Modern::Perl; use base qw( Template::Plugin ); use C4::Context; +use Koha::Token; use Koha; =head1 NAME @@ -48,8 +49,22 @@ is necessary. =head2 Class Methods +=head3 new + +This new method allows us to store the context which gives us +access to the template vars already set. In particular this gives +us access to the template vars set by C4::Auth::get_template_and_user + =cut +sub new { + my ( $class, $context ) = @_; + bless { + _CONTEXT => $context, + }, $class; +} + + sub Preference { my ( $self, $pref ) = @_; return C4::Context->preference( $pref ); @@ -84,4 +99,16 @@ sub Version { }; } +=head3 GenerateCSRF + +Generate a new CSRF token. + +=cut + +sub GenerateCSRF { + my ($self) = @_; + my $session_id = $self->{_CONTEXT}->stash->{sessionID}; + return Koha::Token->new->generate_csrf( { session_id => scalar $session_id } ); +} + 1; diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc index 703d4eb036..bfc221faf4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc @@ -1 +1,3 @@ - +[%- USE Koha %] +[%- USE raw %] + -- 2.39.5