From 3f2c1c879c0bdb920f00d968b6d25f3fd8635f95 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 4 Oct 2017 17:49:51 -0300 Subject: [PATCH] Bug 19117: Add CSRF protection to paycollect.pl Security bug, trivial changes, no need to provide procedure for script kiddies. Test plan: Pay fines using the different options from the "Pay fines" tab. Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/members/paycollect.tt | 3 +++ members/paycollect.pl | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt index a1458b58f1..12b2c4b6b6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt @@ -101,6 +101,7 @@ function moneyFormat(textObj) { [% IF ( pay_individual ) %]
+ @@ -155,6 +156,7 @@ function moneyFormat(textObj) {
[% ELSIF ( writeoff_individual ) %]
+
Write off an individual fine @@ -195,6 +197,7 @@ function moneyFormat(textObj) { [% ELSE %] + diff --git a/members/paycollect.pl b/members/paycollect.pl index f880f575c8..9ec3077777 100755 --- a/members/paycollect.pl +++ b/members/paycollect.pl @@ -31,6 +31,7 @@ use C4::Koha; use Koha::Patron::Images; use Koha::Patrons; use Koha::Account; +use Koha::Token; use Koha::Patron::Categories; @@ -116,6 +117,12 @@ if ( $total_paid and $total_paid ne '0.00' ) { total_due => $total_due ); } else { + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); + if ($individual) { my $line = Koha::Account::Lines->find($accountlines_id); Koha::Account->new( { patron_id => $borrowernumber } )->pay( @@ -183,6 +190,8 @@ $template->param( total => $total_due, RoutingSerials => C4::Context->preference('RoutingSerials'), ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'), + + csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }), ); output_html_with_http_headers $input, $cookie, $template->output; -- 2.39.5