From 6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 12 Aug 2016 11:36:06 +0100 Subject: [PATCH] Bug 17116: Fix CSRF in import_borrowers.pl If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' information The exploit can be simulated triggering /tools/import_borrowers.pl?uploadborrowers=42 In that case it won't do anything wrong, but it you POST a valid file, it could. Test plan: Trigger the url above => Without this patch, you will the result page => With this patch, you will get the "Wrong CSRF token" error. Regression test: Import a valid file from the import patron form, everything should go fine. Signed-off-by: Chris Cormack Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall --- .../prog/en/modules/tools/import_borrowers.tt | 5 ++++- tools/import_borrowers.pl | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt index d9f25db0c1..4e708c53c4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt @@ -191,7 +191,10 @@ [% END %] -
+
+ + +
[% END %] diff --git a/tools/import_borrowers.pl b/tools/import_borrowers.pl index e1754e6efe..d350a7f297 100755 --- a/tools/import_borrowers.pl +++ b/tools/import_borrowers.pl @@ -50,6 +50,7 @@ use C4::Templates; use Koha::Patron::Debarments; use Koha::Patrons; use Koha::DateUtils; +use Koha::Token; use Text::CSV; # Text::CSV::Unicode, even in binary mode, fails to parse lines with these diacriticals: @@ -58,6 +59,7 @@ use Text::CSV; use CGI qw ( -utf8 ); # use encoding 'utf8'; # don't do this +use Digest::MD5 qw(md5_base64); my (@errors, @feedback); my $extended = C4::Context->preference('ExtendedPatronAttributes'); @@ -110,6 +112,13 @@ my $overwrite_cardnumber = $input->param('overwrite_cardnumber'); $template->param( SCRIPT_NAME => '/cgi-bin/koha/tools/import_borrowers.pl' ); if ( $uploadborrowers && length($uploadborrowers) > 0 ) { + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf({ + id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + token => scalar $input->param('csrf_token'), + }); + push @feedback, {feedback=>1, name=>'filename', value=>$uploadborrowers, filename=>$uploadborrowers}; my $handle = $input->upload('uploadborrowers'); my $uploadinfo = $input->uploadInfo($uploadborrowers); @@ -381,6 +390,15 @@ if ( $uploadborrowers && length($uploadborrowers) > 0 ) { } $template->param(matchpoints => \@matchpoints); } + + $template->param( + csrf_token => Koha::Token->new->generate_csrf( + { id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + } + ), + ); + } output_html_with_http_headers $input, $cookie, $template->output; -- 2.39.5