]> git.koha-community.org Git - koha.git/commit
Bug 17146: Fix CSRF in picture-upload.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Thu, 18 Aug 2016 14:52:38 +0000 (15:52 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Thu, 15 Sep 2016 13:33:58 +0000 (13:33 +0000)
commit11bf7e7bef856d5d90126c19f897d060cb4c9d9d
treefb114fc45e966be6a275a2f200f8801fcafa2422
parentda03dbd458c59da0b9213efacd3425e89b453332
Bug 17146: Fix CSRF in picture-upload.pl

If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42

Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.

Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt
koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt
members/moremember.pl
tools/picture-upload.pl