From 5a627a355e63d932f3d16114529e4f548915d3eb Mon Sep 17 00:00:00 2001
From: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Date: Thu, 11 Aug 2016 14:17:14 +0200
Subject: [PATCH] Bug 17109: Add CSRF token to [opac-]sendbasket
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

If you have no (valid) token, you will not be able to send the message.

Test plan:
[1] Verify if you can still send the cart from opac and intranet.
[2] While still being logged in, try to send the cart from opac by
    using the following URL:
    /cgi-bin/koha/opac-sendbasket.pl?email_add=you@somedomain.com&comment=csrf_test&bib_list=doesnotmatter&csrf_token=justsomeguess12345
    This should now result in a csrf error.

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 basket/sendbasket.pl                                |  8 ++++++--
 .../prog/en/modules/basket/sendbasketform.tt        | 13 +++++++++----
 .../bootstrap/en/modules/opac-sendbasketform.tt     |  5 +++++
 opac/opac-sendbasket.pl                             |  8 ++++++--
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/basket/sendbasket.pl b/basket/sendbasket.pl
index 2dffe78cf9..bd0a402d54 100755
--- a/basket/sendbasket.pl
+++ b/basket/sendbasket.pl
@@ -20,15 +20,18 @@ use Modern::Perl;
 use CGI qw ( -utf8 );
 use Encode qw(encode);
 use Carp;
+use Digest::MD5 qw(md5_base64);
 use Mail::Sendmail;
 use MIME::QuotedPrint;
 use MIME::Base64;
+
 use C4::Biblio;
 use C4::Items;
 use C4::Auth;
 use C4::Output;
 use C4::Templates ();
 use Koha::Email;
+use Koha::Token;
 
 my $query = new CGI;
 
@@ -42,11 +45,12 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user (
     }
 );
 
-my $bib_list     = $query->param('bib_list');
+my $bib_list     = $query->param('bib_list') || '';
 my $email_add    = $query->param('email_add');
 
 my $dbh          = C4::Context->dbh;
 
+my $csrf_err;
 if ( $email_add ) {
     die "Wrong CSRF token" unless Koha::Token->new->check_csrf({
         session_id => scalar $query->cookie('CGISESSID'),
@@ -168,8 +172,8 @@ END_OF_BODY
     output_html_with_http_headers $query, $cookie, $template->output;
 }
 else {
-    $template->param( bib_list => $bib_list );
     $template->param(
+        bib_list       => $bib_list,
         url            => "/cgi-bin/koha/basket/sendbasket.pl",
         suggestion     => C4::Context->preference("suggestion"),
         virtualshelves => C4::Context->preference("virtualshelves"),
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt
index ef116fce07..07d004d341 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt
@@ -10,6 +10,10 @@
         <p>The cart was sent to: [% email_add |html %]</p>
 		<p><a class="focus close" href="#">Close window</a></p>
 	[% END %]
+    [% IF csrf_error %]
+        <p>No valid CSRF token!</p>
+        <p><a class="focus close" href="#">Close window</a></p>
+    [% END %]
 	[% IF ( error ) %]
 	<p>Problem sending the cart...</p>
 	[% END %]
@@ -28,10 +32,11 @@
             <label for="comment">Comment:</label>
             <textarea id="comment" name="comment" rows="4" cols="40"></textarea>
     </li>
-    <li>
-        <input type="hidden" name="bib_list" value="[% bib_list %]" />
-    </li></ol></fieldset>
-       <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
+    </ol>
+    </fieldset>
+    <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
+    <input type="hidden" name="bib_list" value="[% bib_list %]" />
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
 </form>
 
 [% END %]</div>
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt
index 25b248be13..e1f8f60df6 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt
@@ -19,6 +19,10 @@
                                 <p><a class="focus close" href="#">Close window</a></p>
                             [% END %]
 
+                            [% IF csrf_error %]
+                                <p>No valid CSRF token!</p>
+                                <p><a class="focus close" href="#">Close window</a></p>
+                            [% END %]
                             [% IF ( error ) %]
                                 <div class="alert">
                                     <p>There was an error sending the cart.</p>
@@ -34,6 +38,7 @@
                                     <label for="comment">Comment:</label>
                                     <textarea id="comment" name="comment" rows="4" cols="40"></textarea>
                                     <input type="hidden" name="bib_list" value="[% bib_list %]" />
+                                    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                                 </fieldset>
                                 <fieldset class="action">
                                     <input type="submit" class="btn" value="Send" />
diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl
index 4d4bd4f7ca..433f38fda6 100755
--- a/opac/opac-sendbasket.pl
+++ b/opac/opac-sendbasket.pl
@@ -22,9 +22,11 @@ use Modern::Perl;
 use CGI qw ( -utf8 );
 use Encode qw(encode);
 use Carp;
+use Digest::MD5 qw(md5_base64);
 use Mail::Sendmail;
 use MIME::QuotedPrint;
 use MIME::Base64;
+
 use C4::Biblio;
 use C4::Items;
 use C4::Auth;
@@ -32,6 +34,7 @@ use C4::Output;
 use C4::Members;
 use C4::Templates ();
 use Koha::Email;
+use Koha::Token;
 
 my $query = new CGI;
 
@@ -44,11 +47,12 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user (
     }
 );
 
-my $bib_list     = $query->param('bib_list');
+my $bib_list     = $query->param('bib_list') || '';
 my $email_add    = $query->param('email_add');
 
 my $dbh          = C4::Context->dbh;
 
+my $csrf_err;
 if ( $email_add ) {
     die "Wrong CSRF token" unless Koha::Token->new->check_csrf({
         session_id => scalar $query->cookie('CGISESSID'),
@@ -188,8 +192,8 @@ END_OF_BODY
     output_html_with_http_headers $query, $cookie, $template->output;
 }
 else {
-    $template->param( bib_list => $bib_list );
     $template->param(
+        bib_list       => $bib_list,
         url            => "/cgi-bin/koha/opac-sendbasket.pl",
         suggestion     => C4::Context->preference("suggestion"),
         virtualshelves => C4::Context->preference("virtualshelves"),
-- 
2.39.5