From eec0fb831a55b60ae847fe39d102253d82b03f4f Mon Sep 17 00:00:00 2001 From: Lucas Gass Date: Fri, 28 Jul 2023 14:51:25 +0000 Subject: [PATCH] Bug 34368: Add CSRF token to Content Management pages Signed-off-by: Tomas Cohen Arazi --- .../prog/en/modules/tools/additional-contents.tt | 2 ++ tools/additional-contents.pl | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt index 5c68c3896a..f8b1f6e478 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt @@ -186,6 +186,7 @@
+ [% INCLUDE 'csrf-token.inc' %] @@ -412,6 +413,7 @@
+ [% INCLUDE 'csrf-token.inc' %] diff --git a/tools/additional-contents.pl b/tools/additional-contents.pl index de36d5d8e6..71c03ae55d 100755 --- a/tools/additional-contents.pl +++ b/tools/additional-contents.pl @@ -28,7 +28,7 @@ use C4::Auth qw(get_template_and_user); use C4::Koha; use C4::Context; use C4::Log qw( logaction ); -use C4::Output qw(output_html_with_http_headers); +use C4::Output qw(output_html_with_http_headers output_and_exit_if_error); use C4::Languages qw(getTranslatedLanguages); use Koha::DateUtils qw( dt_from_string output_pref ); @@ -84,6 +84,7 @@ if ( $op eq 'add_form' ) { ); } elsif ( $op eq 'add_validate' ) { + output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' }); my $location = $cgi->param('location'); my $code = $cgi->param('code'); my $branchcode = $cgi->param('branchcode') || undef; @@ -202,6 +203,7 @@ elsif ( $op eq 'add_validate' ) { } } elsif ( $op eq 'delete_confirmed' ) { + output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' }); my @ids = $cgi->multi_param('ids'); my $deleted = eval { -- 2.39.5