From 4e40339db3209c913c79b935067e139b470255cc Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 29 Dec 2016 17:54:40 +0100 Subject: [PATCH] Bug 17830: CSRF - Handle unicode characters in userid MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If the userid of the logged in user contains unicode characters, the token will not be generated correctly and Koha will crash with: Wide character in subroutine entry at /usr/share/perl5/Digest/HMAC.pm line 63. Test plan: - Edit a superlibrarian user and set his/her userid to '❤' or any other strings with unicode characters. - Login using this patron - Search for patrons and click on a result. => Without this patch, you will get a software error (with "Wide character in subroutine entry" in the logs). => With this patch, everything will go fine You can also test the other files modified by this patch. Signed-off-by: Karam Qubsi Signed-off-by: Kyle M Hall --- basket/sendbasket.pl | 4 ++-- members/deletemem.pl | 4 ++-- members/member-password.pl | 4 ++-- members/memberentry.pl | 4 ++-- members/moremember.pl | 2 +- opac/opac-memberentry.pl | 8 ++++---- opac/opac-sendbasket.pl | 4 ++-- tools/import_borrowers.pl | 4 ++-- tools/picture-upload.pl | 6 +++--- 9 files changed, 20 insertions(+), 20 deletions(-) diff --git a/basket/sendbasket.pl b/basket/sendbasket.pl index faeebf4d7f..ab29824a64 100755 --- a/basket/sendbasket.pl +++ b/basket/sendbasket.pl @@ -52,7 +52,7 @@ my $dbh = C4::Context->dbh; if ( $email_add ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $query->param('csrf_token'), }); @@ -177,7 +177,7 @@ else { suggestion => C4::Context->preference("suggestion"), virtualshelves => C4::Context->preference("virtualshelves"), csrf_token => Koha::Token->new->generate_csrf( - { id => C4::Context->userenv->{id}, + { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), } ), diff --git a/members/deletemem.pl b/members/deletemem.pl index 15d1b2959f..9ab49fb9d5 100755 --- a/members/deletemem.pl +++ b/members/deletemem.pl @@ -148,7 +148,7 @@ if ( $op eq 'delete_confirm' or $countissues > 0 or $flags->{'CHARGES'} or $is_ $template->param( op => 'delete_confirm', csrf_token => Koha::Token->new->generate_csrf( - { id => C4::Context->userenv->{id}, + { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), } ), @@ -158,7 +158,7 @@ if ( $op eq 'delete_confirm' or $countissues > 0 or $flags->{'CHARGES'} or $is_ die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $input->param('csrf_token'), }); diff --git a/members/member-password.pl b/members/member-password.pl index 82cd642b9a..1008cb60b6 100755 --- a/members/member-password.pl +++ b/members/member-password.pl @@ -69,7 +69,7 @@ if ( $newpassword && !scalar(@errors) ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $input->param('csrf_token'), }); @@ -151,7 +151,7 @@ $template->param( minPasswordLength => $minpw, RoutingSerials => C4::Context->preference('RoutingSerials'), csrf_token => Koha::Token->new->generate_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), }), ); diff --git a/members/memberentry.pl b/members/memberentry.pl index b9082e815e..2fcaa723ff 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -290,7 +290,7 @@ if ($op eq 'save' || $op eq 'insert'){ die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $input->param('csrf_token'), }); @@ -753,7 +753,7 @@ $template->param( # Generate CSRF token $template->param( csrf_token => Koha::Token->new->generate_csrf( - { id => C4::Context->userenv->{id}, + { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), } ), diff --git a/members/moremember.pl b/members/moremember.pl index d637d1bcc5..55b09014e6 100755 --- a/members/moremember.pl +++ b/members/moremember.pl @@ -273,7 +273,7 @@ $template->param( picture => 1 ) if $patron_image; # Generate CSRF token for upload and delete image buttons $template->param( csrf_token => Koha::Token->new->generate_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), }), ); diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index 59306bc550..c1610a17db 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -200,7 +200,7 @@ elsif ( $action eq 'update' ) { my $borrower = GetMember( borrowernumber => $borrowernumber ); die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => $borrower->{userid}, + id => Encode::encode( 'UTF-8', $borrower->{userid} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $cgi->param('csrf_token'), }); @@ -221,7 +221,7 @@ elsif ( $action eq 'update' ) { invalid_form_fields => $invalidformfields, borrower => \%borrower, csrf_token => Koha::Token->new->generate_csrf({ - id => $borrower->{userid}, + id => Encode::encode( 'UTF-8', $borrower->{userid} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), }), ); @@ -262,7 +262,7 @@ elsif ( $action eq 'update' ) { nochanges => 1, borrower => GetMember( borrowernumber => $borrowernumber ), csrf_token => Koha::Token->new->generate_csrf({ - id => $borrower->{userid}, + id => Encode::encode( 'UTF-8', $borrower->{userid} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), }), ); @@ -285,7 +285,7 @@ elsif ( $action eq 'edit' ) { #Display logged in borrower's data guarantor => scalar Koha::Patrons->find($borrowernumber)->guarantor(), hidden => GetHiddenFields( $mandatory, 'modification' ), csrf_token => Koha::Token->new->generate_csrf({ - id => $borrower->{userid}, + id => Encode::encode( 'UTF-8', $borrower->{userid} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), }), ); diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl index 25b6eac907..c8c5e48c74 100755 --- a/opac/opac-sendbasket.pl +++ b/opac/opac-sendbasket.pl @@ -54,7 +54,7 @@ my $dbh = C4::Context->dbh; if ( $email_add ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $query->param('csrf_token'), }); @@ -197,7 +197,7 @@ else { suggestion => C4::Context->preference("suggestion"), virtualshelves => C4::Context->preference("virtualshelves"), csrf_token => Koha::Token->new->generate_csrf( - { id => C4::Context->userenv->{id}, + { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), } ), diff --git a/tools/import_borrowers.pl b/tools/import_borrowers.pl index f22f2efe22..daf7d590f5 100755 --- a/tools/import_borrowers.pl +++ b/tools/import_borrowers.pl @@ -112,7 +112,7 @@ $template->param( SCRIPT_NAME => '/cgi-bin/koha/tools/import_borrowers.pl' ); if ( $uploadborrowers && length($uploadborrowers) > 0 ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $input->param('csrf_token'), }); @@ -391,7 +391,7 @@ if ( $uploadborrowers && length($uploadborrowers) > 0 ) { $template->param( csrf_token => Koha::Token->new->generate_csrf( - { id => C4::Context->userenv->{id}, + { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), } ), diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl index 87cac77db5..a3b549e503 100755 --- a/tools/picture-upload.pl +++ b/tools/picture-upload.pl @@ -88,7 +88,7 @@ if ( ( $op eq 'Upload' ) && $uploadfile ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $input->param('csrf_token'), }); @@ -176,7 +176,7 @@ elsif ( ( $op eq 'Upload' ) && !$uploadfile ) { elsif ( $op eq 'Delete' ) { die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), token => scalar $input->param('csrf_token'), }); @@ -195,7 +195,7 @@ if ( $borrowernumber && !%errors && !$template->param('ERRORS') ) { else { $template->param( csrf_token => Koha::Token->new->generate_csrf({ - id => C4::Context->userenv->{id}, + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), }), ); -- 2.39.5