From cce493764a9ec4cfba2557731cbb452c1b3e07a2 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Thu, 3 May 2018 11:52:24 +0000 Subject: [PATCH] Bug 20701: Add csrf protection to maninvoice.pl TO test: 1 - Be signed in to Koha 2 - Add a manual invoice to an account, works fine 3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save 4 - Apply patches 5 - Test that everything continues to work as expected (but more securely) 6 - Try adding a new invoice via URL 7 - Should get 'internal server error' and wrong csrf token in logs Works OK. Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens (cherry picked from commit 730d1fd57d982735522b3c7c1bc4d421255c2107) Signed-off-by: Fridolin Somers --- .../intranet-tmpl/prog/en/modules/members/maninvoice.tt | 1 + members/maninvoice.pl | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt index 8fc1f68a59..77778ee1e4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt @@ -48,6 +48,7 @@ $(document).ready(function(){ [% END %] [% ELSE %]
+
Manual invoice
    diff --git a/members/maninvoice.pl b/members/maninvoice.pl index 3f49598e0e..7f79e55f79 100755 --- a/members/maninvoice.pl +++ b/members/maninvoice.pl @@ -33,6 +33,7 @@ use C4::Accounts; use C4::Items; use C4::Members::Attributes qw(GetBorrowerAttributes); use Koha::Patron::Images; +use Koha::Token; use Koha::Patron::Categories; @@ -46,6 +47,11 @@ my $borrowernumber=$input->param('borrowernumber'); my $data=GetMember('borrowernumber'=>$borrowernumber); my $add=$input->param('add'); if ($add){ + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) { # print $input->header; my $barcode=$input->param('barcode'); @@ -71,6 +77,7 @@ if ($add){ if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) { $template->param( 'ITEMNUMBER' => 1 ); } + $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) ); $template->param( 'ERROR' => $error ); output_html_with_http_headers $input, $cookie, $template->output; } else { @@ -120,6 +127,7 @@ if ($add){ $template->param(%$data); $template->param( + csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }), finesview => 1, borrowernumber => $borrowernumber, categoryname => $data->{'description'}, -- 2.39.5