From d8063a332ce51c8cebb564a164486012886f7311 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 14 Mar 2024 16:19:06 +0100 Subject: [PATCH] Bug 24879: Add check_cookie_auth when missing This can certainly be improved to adjust the permissions, but at least they are no longer opened to the world.. Signed-off-by: Martin Renvoize Signed-off-by: Lucas Gass --- acqui/check_uniqueness.pl | 7 +++++++ catalogue/image.pl | 7 +++++++ cataloguing/plugin_launcher.pl | 8 ++++++++ cataloguing/value_builder/barcode.pl | 10 ++++++++++ cataloguing/value_builder/barcode_manual.pl | 10 ++++++++++ cataloguing/value_builder/dateaccessioned.pl | 10 ++++++++++ cataloguing/value_builder/marc21_field_005.pl | 10 ++++++++++ cataloguing/value_builder/marc21_field_245h.pl | 12 +++++++++++- cataloguing/value_builder/marc21_field_260b.pl | 10 ++++++++++ cataloguing/value_builder/marc21_orgcode.pl | 9 +++++++++ cataloguing/value_builder/stocknumber.pl | 9 +++++++++ cataloguing/value_builder/upload.pl | 10 ++++++++++ labels/label-create-csv.pl | 6 ++++++ labels/label-create-xml.pl | 6 ++++++ serials/lateissues-export.pl | 7 +++++++ 15 files changed, 130 insertions(+), 1 deletion(-) diff --git a/acqui/check_uniqueness.pl b/acqui/check_uniqueness.pl index b665b34c3a..791814095f 100755 --- a/acqui/check_uniqueness.pl +++ b/acqui/check_uniqueness.pl @@ -37,6 +37,13 @@ use C4::Output qw( output_with_http_headers ); use C4::Items qw( SearchItems ); my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my @field = $input->multi_param('field[]'); my @value = $input->multi_param('value[]'); diff --git a/catalogue/image.pl b/catalogue/image.pl index 41eebc019c..efdcae4937 100755 --- a/catalogue/image.pl +++ b/catalogue/image.pl @@ -33,6 +33,13 @@ use Koha::CoverImages; $| = 1; my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $imagenumber; =head1 NAME diff --git a/cataloguing/plugin_launcher.pl b/cataloguing/plugin_launcher.pl index 90105f326c..b31ca52c89 100755 --- a/cataloguing/plugin_launcher.pl +++ b/cataloguing/plugin_launcher.pl @@ -19,10 +19,18 @@ use Modern::Perl; use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); use Koha::FrameworkPlugin; my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $plugin= Koha::FrameworkPlugin->new( { name => scalar $input->param("plugin_name"), }); diff --git a/cataloguing/value_builder/barcode.pl b/cataloguing/value_builder/barcode.pl index b166b46c4d..5ec7dbece4 100755 --- a/cataloguing/value_builder/barcode.pl +++ b/cataloguing/value_builder/barcode.pl @@ -29,6 +29,16 @@ use Koha::DateUtils qw( dt_from_string ); use Algorithm::CheckDigits qw( CheckDigits ); +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; my $function_name = $params->{id}; diff --git a/cataloguing/value_builder/barcode_manual.pl b/cataloguing/value_builder/barcode_manual.pl index a7d015ba7a..67891789e3 100755 --- a/cataloguing/value_builder/barcode_manual.pl +++ b/cataloguing/value_builder/barcode_manual.pl @@ -27,6 +27,16 @@ use C4::Barcodes::ValueBuilder; use C4::Biblio qw( GetMarcFromKohaField ); use Koha::DateUtils qw( dt_from_string ); +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; my $function_name = $params->{id}; diff --git a/cataloguing/value_builder/dateaccessioned.pl b/cataloguing/value_builder/dateaccessioned.pl index 808fc80116..c4f7746b7f 100755 --- a/cataloguing/value_builder/dateaccessioned.pl +++ b/cataloguing/value_builder/dateaccessioned.pl @@ -21,6 +21,16 @@ # along with Koha; if not, see . use Modern::Perl; +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; my $function_name = $params->{id}; diff --git a/cataloguing/value_builder/marc21_field_005.pl b/cataloguing/value_builder/marc21_field_005.pl index 545a1a4f91..6428bd61a9 100755 --- a/cataloguing/value_builder/marc21_field_005.pl +++ b/cataloguing/value_builder/marc21_field_005.pl @@ -21,6 +21,16 @@ use Modern::Perl; +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; my $function_name = $params->{id}; diff --git a/cataloguing/value_builder/marc21_field_245h.pl b/cataloguing/value_builder/marc21_field_245h.pl index 667ae2249a..4fe4a2f1e7 100755 --- a/cataloguing/value_builder/marc21_field_245h.pl +++ b/cataloguing/value_builder/marc21_field_245h.pl @@ -20,7 +20,17 @@ # along with Koha; if not, see . use Modern::Perl; -use C4::Context; + +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; diff --git a/cataloguing/value_builder/marc21_field_260b.pl b/cataloguing/value_builder/marc21_field_260b.pl index 406feb4122..e9a74a07ba 100755 --- a/cataloguing/value_builder/marc21_field_260b.pl +++ b/cataloguing/value_builder/marc21_field_260b.pl @@ -27,6 +27,16 @@ biblioitems.publishercode use Modern::Perl; use C4::Context; +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; my $function_name = $params->{id}; diff --git a/cataloguing/value_builder/marc21_orgcode.pl b/cataloguing/value_builder/marc21_orgcode.pl index aa9142cfc7..0dd985803c 100755 --- a/cataloguing/value_builder/marc21_orgcode.pl +++ b/cataloguing/value_builder/marc21_orgcode.pl @@ -24,6 +24,15 @@ use Modern::Perl; use C4::Context; use Koha::Libraries; +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} my $builder = sub { my ( $params ) = @_; diff --git a/cataloguing/value_builder/stocknumber.pl b/cataloguing/value_builder/stocknumber.pl index 51d7a1986c..61885d12b0 100755 --- a/cataloguing/value_builder/stocknumber.pl +++ b/cataloguing/value_builder/stocknumber.pl @@ -21,6 +21,15 @@ use Modern::Perl; use C4::Context; +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} my $builder = sub { my ( $params ) = @_; diff --git a/cataloguing/value_builder/upload.pl b/cataloguing/value_builder/upload.pl index 82b9816f62..eeb422d525 100755 --- a/cataloguing/value_builder/upload.pl +++ b/cataloguing/value_builder/upload.pl @@ -30,6 +30,16 @@ use Modern::Perl; # the possibility to delete the uploaded file. If the field is empty, you # can upload a new file. +use CGI qw ( -utf8 ); +use C4::Auth qw( check_cookie_auth ); +my $input = CGI->new; +my ($auth_status) = + check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $input->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $builder = sub { my ( $params ) = @_; return <<"SCRIPT"; diff --git a/labels/label-create-csv.pl b/labels/label-create-csv.pl index 8c06a41a0b..80c662e85a 100755 --- a/labels/label-create-csv.pl +++ b/labels/label-create-csv.pl @@ -26,6 +26,12 @@ use Text::CSV_XS; use C4::Labels; my $cgi = CGI->new; +my ($auth_status) = + check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} my $batch_id; my @label_ids; diff --git a/labels/label-create-xml.pl b/labels/label-create-xml.pl index 3962cfb502..a3bec34ec0 100755 --- a/labels/label-create-xml.pl +++ b/labels/label-create-xml.pl @@ -26,6 +26,12 @@ use XML::Simple; use C4::Labels; my $cgi = CGI->new; +my ($auth_status) = + check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} my $batch_id; my @label_ids; diff --git a/serials/lateissues-export.pl b/serials/lateissues-export.pl index af83f2c6f6..f82b9f1e18 100755 --- a/serials/lateissues-export.pl +++ b/serials/lateissues-export.pl @@ -27,6 +27,13 @@ use Koha::CsvProfiles; use Text::CSV_XS; my $query = CGI->new; +my ($auth_status) = + check_cookie_auth( $query->cookie('CGISESSID'), { catalogue => 1 } ); +if ( $auth_status ne "ok" ) { + print $query->header( -type => 'text/plain', -status => '403 Forbidden' ); + exit 0; +} + my $supplierid = $query->param('supplierid'); my @serialids = $query->multi_param('serialid'); my $op = $query->param('op') || q{}; -- 2.39.5