git.koha-community.org Git - koha.git/commit

author	Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
	Tue, 7 Feb 2017 08:09:33 +0000 (09:09 +0100)
committer	Mason James <mtj@kohaaloha.com>
	Sun, 23 Apr 2017 23:09:48 +0000 (11:09 +1200)
commit	81fa253a8f15035a87076bad77dd0b5dde562ecd
tree	c7c2d5fb3a322cd4b5a7ba59928c296024aab582	tree \| snapshot
parent	41882c4f2eb4bff954b5a74537b0cad4d0187352	commit \| diff

Bug 18019: Add CSRF protection to authorities-home.pl (op==delete)

Without this patch, it is possible to delete authority records with URL
manipulation.
Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX]

Test plan:
[1] Go to Authorities. Search for some authorities (without links).
[2] Delete an authority. Should work.
[3] Apply patch.
[4] Construct an URL like above to delete another authority. Should fail.
Under Plack this results in an internal server error, the log tells
you: Wrong CSRF token.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Amended the test plan.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5a7dc0749f581e4c4bc6ec68d3f3ab6bac12afd5)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

authorities/authorities-home.pl		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt		diff \| blob \| history