From 49bd9bae3e0ac6ab0488f25e75d4eea416676e58 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Wed, 22 Jan 2020 21:37:22 +0530
Subject: [PATCH] Bug 22990: Add CSRF protection to boraccount, pay and
 suggestion

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Test plan would have been nioe.
Tested by changing MAX_AGE with suggestions.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 833d1dc8b082cc742b88e358edef77960b5ffc2f)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../prog/en/modules/members/boraccount.tt         | 11 +++++++----
 .../intranet-tmpl/prog/en/modules/members/pay.tt  |  1 +
 .../prog/en/modules/suggestion/suggestion.tt      |  5 +++++
 members/boraccount.pl                             | 15 ++++++++++-----
 members/pay.pl                                    |  8 ++++++++
 suggestion/suggestion.pl                          |  9 ++++++---
 6 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt
index 5404672138..53c8cfd848 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/boraccount.tt
@@ -55,7 +55,7 @@
 
 [% INCLUDE 'members-toolbar.inc' %]
 <h1>Account for [% INCLUDE 'patron-title.inc' %]</h1>
-<form action="/cgi-bin/koha/members/boraccount.pl" method="get"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" /></form>
+<form action="/cgi-bin/koha/members/boraccount.pl" method="get">[% INCLUDE 'csrf-token.inc' %]<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" /></form>
 
 <!-- The manual invoice and credit buttons -->
 <div class="toptabs">
@@ -147,14 +147,14 @@
         [% END %]
         <a href="accountline-details.pl?accountlines_id=[% account.accountlines_id | uri %]" class="btn btn-default btn-xs details-action"><i class="fa fa-list"></i> Details</a>
         [% IF account.is_debit && account.amountoutstanding > 0 %]
-            <a class="btn btn-default btn-xs pay-action" href="/cgi-bin/koha/members/paycollect.pl?borrowernumber=[% account.borrowernumber | html %]&pay_individual=1&debit_type_code=[% account.debit_type_code | html %]&amount=[% account.amount | html %]&amountoutstanding=[% account.amountoutstanding | html %]&description=[% account.description | html %]&itemnumber=[% account.itemnumber | html %]&accountlines_id=[% account.accountlines_id | html %]"><i class="fa fa-money"></i> Pay</a>
+            <a class="btn btn-default btn-xs pay-action" href="/cgi-bin/koha/members/paycollect.pl?borrowernumber=[% account.borrowernumber | html %]&pay_individual=1&debit_type_code=[% account.debit_type_code | html %]&amount=[% account.amount | html %]&amountoutstanding=[% account.amountoutstanding | html %]&description=[% account.description | html %]&itemnumber=[% account.itemnumber | html %]&accountlines_id=[% account.accountlines_id | html %]&amp;csrf_token=[% csrf_token | html %]"><i class="fa fa-money"></i> Pay</a>
         [% END %]
         [% IF account.is_credit && account.status != 'VOID' %]
-          <a href="boraccount.pl?action=void&amp;accountlines_id=[% account.accountlines_id | uri %]&amp;borrowernumber=[% account.borrowernumber | uri %]" class="btn btn-default btn-xs void-action"><i class="fa fa-ban"></i> Void payment</a>
+          <a href="boraccount.pl?action=void&amp;accountlines_id=[% account.accountlines_id | uri %]&amp;borrowernumber=[% account.borrowernumber | uri %]&amp;csrf_token=[% csrf_token | uri %]" class="btn btn-default btn-xs void-action"><i class="fa fa-ban"></i> Void payment</a>
         [% END %]
         [% IF account.is_debit && account.amount == account.amountoutstanding && account.status != 'CANCELLED' && !(account.debit_type_code == 'PAYOUT') %]
           <form method="post" action="/cgi-bin/koha/members/cancel-charge.pl">
-            <input type="hidden" name="csrf_token" value="[% csrf_token | html %]">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="borrowernumber" value="[% patron.borrowernumber | html %]">
             <input type="hidden" name="accountlines_id" value="[% account.accountlines_id | html %]">
             <button type="submit" class="btn btn-default btn-xs cancel-action">
@@ -210,6 +210,7 @@
     <!-- Issue payout modal -->
     <div class="modal" id="issuePayoutModal" tabindex="-1" role="dialog" aria-labelledby="issuePayoutLabel">
         <form  id="payout_form" action="/cgi-bin/koha/members/boraccount.pl" method="get" enctype="multipart/form-data" class="validated">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="accountlines_id" value="" id="payoutline">
             <input type="hidden" name="action" value="payout">
             <input type="hidden" name="borrowernumber" value="[% account.borrowernumber | html %]">
@@ -264,6 +265,7 @@
     <!-- Issue refund modal -->
     <div class="modal" id="issueRefundModal" tabindex="-1" role="dialog" aria-labelledby="issueRefundLabel">
         <form  id="refund_form" action="/cgi-bin/koha/members/boraccount.pl" method="get" enctype="multipart/form-data" class="validated">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="accountlines_id" value="" id="refundline">
             <input type="hidden" name="action" value="refund">
             <input type="hidden" name="borrowernumber" value="[% account.borrowernumber | html %]">
@@ -321,6 +323,7 @@
     <!-- Apply discount modal -->
     <div class="modal" id="applyDiscountModal" tabindex="-1" role="dialog" aria-labelledby="applyDiscountLabel">
         <form  id="discount_form" action="/cgi-bin/koha/members/boraccount.pl" method="get" enctype="multipart/form-data" class="validated">
+            [% INCLUDE 'csrf-token.inc' %]
             <input type="hidden" name="accountlines_id" value="" id="discountline">
             <input type="hidden" name="action" value="discount">
             <input type="hidden" name="borrowernumber" value="[% account.borrowernumber | html %]">
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
index 9dfd317c8b..45b54288b0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
@@ -70,6 +70,7 @@
 [% IF ( accounts ) %]
     <form action="/cgi-bin/koha/members/pay.pl" method="post" id="pay-fines-form">
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" />
+    [% INCLUDE 'csrf-token.inc' %]
 <p><span class="checkall"><a id="CheckAll" href="#"><i class="fa fa-check"></i> Select all</a></span> | <span class="clearall"><a id="CheckNone" href="#"><i class="fa fa-remove"></i> Clear all</a></span></p>
 <table id="finest">
 <thead>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt
index dfdc1b547a..ff8d301775 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/suggestion/suggestion.tt
@@ -90,6 +90,8 @@
         [% END #/ WRAPPER breadcrumbs %]
     [% END #/ WRAPPER sub-header.inc %]
 
+    [% INCLUDE 'blocking_errors.inc' %]
+
     [% IF ( op == 'show' ) %]
         <div class="main container-fluid">
             <div class="row">
@@ -337,6 +339,7 @@
             [% END %]
 
             <form id="add_edit" action="suggestion.pl" method="post" class="validated">
+                [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" name="redirect" id="redirect" value="[% redirect | html %]" />
                 <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber | html %]" />
                 [% IF ( suggestionid ) %]
@@ -709,6 +712,7 @@
                     [% FOREACH suggestion IN suggestions %]
                         [% WRAPPER tab_panel tabname= suggestion.suggestiontype %]
                             <form class="update_suggestions" name="f" method="post" action="/cgi-bin/koha/suggestion/suggestion.pl#[% suggestion.suggestiontype| uri %]">
+                            [% INCLUDE 'csrf-token.inc' %]
 
                                 [% IF suggestion.suggestions.size %]
                                     <p>
@@ -995,6 +999,7 @@
                 <div class="col-sm-2 col-sm-pull-10">
                     <aside>
                         <form name="suggestionfilter" action="suggestion.pl" method="get">
+                            [% INCLUDE 'csrf-token.inc' %]
                             <input type="hidden" name="branchcode" value="[% branchfilter | html %]" />
                             <fieldset class="brief">
                                 <h4>Organize by:</h4>
diff --git a/members/boraccount.pl b/members/boraccount.pl
index 2d625a459c..72725b57f1 100755
--- a/members/boraccount.pl
+++ b/members/boraccount.pl
@@ -70,6 +70,7 @@ output_and_exit_if_error( $input, $cookie, $template, { module => 'members', log
 my $registerid = $input->param('registerid');
 
 if ( $action eq 'void' ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $payment_id = scalar $input->param('accountlines_id');
     my $payment    = Koha::Account::Lines->find( $payment_id );
     $payment->void(
@@ -82,8 +83,10 @@ if ( $action eq 'void' ) {
 }
 
 if ( $action eq 'payout' ) {
-    my $payment_id       = scalar $input->param('accountlines_id');
-    my $amount           = scalar $input->param('amount');
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
+    my $payment_id  = scalar $input->param('accountlines_id');
+    my $payment     = Koha::Account::Lines->find($payment_id);
+    my $amount      = scalar $input->param('amount');
     my $payout_type = scalar $input->param('payout_type');
     if ( $payment_id eq "" ) {
         $schema->txn_do(
@@ -120,9 +123,10 @@ if ( $action eq 'payout' ) {
 }
 
 if ( $action eq 'refund' ) {
-    my $charge_id        = scalar $input->param('accountlines_id');
-    my $charge           = Koha::Account::Lines->find($charge_id);
-    my $amount           = scalar $input->param('amount');
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
+    my $charge_id   = scalar $input->param('accountlines_id');
+    my $charge      = Koha::Account::Lines->find($charge_id);
+    my $amount      = scalar $input->param('amount');
     my $refund_type = scalar $input->param('refund_type');
     $schema->txn_do(
         sub {
@@ -153,6 +157,7 @@ if ( $action eq 'refund' ) {
 }
 
 if ( $action eq 'discount' ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $charge_id        = scalar $input->param('accountlines_id');
     my $charge           = Koha::Account::Lines->find($charge_id);
     my $amount           = scalar $input->param('amount');
diff --git a/members/pay.pl b/members/pay.pl
index 27181164ad..adc34b37c3 100755
--- a/members/pay.pl
+++ b/members/pay.pl
@@ -77,22 +77,28 @@ $user ||= q{};
 our $branch = C4::Context->userenv->{'branch'};
 
 if ( $input->param('paycollect') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     print $input->redirect(
         "/cgi-bin/koha/members/paycollect.pl?borrowernumber=$borrowernumber&change_given=$change_given");
 }
 elsif ( $input->param('payselected') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     payselected({ params => \@names });
 }
 elsif ( $input->param('writeoff_selected') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     payselected({ params => \@names, type => 'WRITEOFF' });
 }
 elsif ( $input->param('woall') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     writeoff_all(@names);
 }
 elsif ( $input->param('apply_credits') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     apply_credits({ patron => $patron, cgi => $input });
 }
 elsif ( $input->param('confirm_writeoff') ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $item_id         = $input->param('itemnumber');
     my $accountlines_id = $input->param('accountlines_id');
     my $amount          = $input->param('amountwrittenoff');
@@ -129,9 +135,11 @@ elsif ( $input->param('confirm_writeoff') ) {
 
 for (@names) {
     if (/^pay_indiv_(\d+)$/) {
+        output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
         my $line_no = $1;
         redirect_to_paycollect( 'pay_individual', $line_no );
     } elsif (/^wo_indiv_(\d+)$/) {
+        output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
         my $line_no = $1;
         redirect_to_paycollect( 'writeoff_individual', $line_no );
     }
diff --git a/suggestion/suggestion.pl b/suggestion/suggestion.pl
index b2cbf3a639..3a5b673b16 100755
--- a/suggestion/suggestion.pl
+++ b/suggestion/suggestion.pl
@@ -21,7 +21,7 @@ use Modern::Perl;
 require Exporter;
 use CGI qw ( -utf8 );
 use C4::Auth qw( get_template_and_user );
-use C4::Output qw( output_html_with_http_headers );
+use C4::Output qw( output_html_with_http_headers output_and_exit_if_error );
 use C4::Suggestions;
 use C4::Koha qw( GetAuthorisedValues );
 use C4::Budgets qw( GetBudget GetBudgets GetBudgetHierarchy CanUserUseBudget );
@@ -134,6 +134,7 @@ my $branchfilter = $input->param('branchcode') || C4::Context->userenv->{'branch
 ##
 
 if ( $op =~ /save/i ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my @messages;
     my $biblio = MarcRecordFromNewSuggestion({
             title => $suggestion_only->{title},
@@ -251,7 +252,8 @@ elsif ($op=~/add/) {
     $op ='save';
 }
 elsif ($op=~/edit/) {
-    #Edit suggestion  
+    #Edit suggestion
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     $suggestion_ref=&GetSuggestion($$suggestion_ref{'suggestionid'});
     $suggestion_ref->{reasonsloop} = $reasonsloop;
     my $other_reason = 1;
@@ -266,7 +268,7 @@ elsif ($op=~/edit/) {
     $op ='save';
 }  
 elsif ($op eq "update_status" ) {
-
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     my $suggestion;
     # set accepted/rejected/managed informations if applicable
     # ie= if the librarian has chosen some action on the suggestions
@@ -303,6 +305,7 @@ elsif ($op eq "update_status" ) {
     }
     redirect_with_params($input);
 }elsif ($op eq "delete" ) {
+    output_and_exit_if_error($input, $cookie, $template, { check => 'csrf_token' });
     foreach my $delete_field (@editsuggestions) {
         &DelSuggestion( $borrowernumber, $delete_field,'intranet' );
     }
-- 
2.39.2