From dc4617ba3b57913123689b7bb9cf1342fcc7c84c Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Thu, 11 Aug 2016 14:17:14 +0200 Subject: [PATCH] Bug 17109: Add CSRF token to [opac-]sendbasket MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If you have no (valid) token, you will not be able to send the message. Test plan: [1] Verify if you can still send the cart from opac and intranet. [2] While still being logged in, try to send the cart from opac by using the following URL: /cgi-bin/koha/opac-sendbasket.pl?email_add=you@somedomain.com&comment=csrf_test&bib_list=doesnotmatter&csrf_token=justsomeguess12345 This should now result in a csrf error. Signed-off-by: Marc Véron Signed-off-by: Jonathan Druart Signed-off-by: Kyle M Hall --- basket/sendbasket.pl | 25 ++++++++++++++++--- .../prog/en/modules/basket/sendbasketform.tt | 13 +++++++--- .../en/modules/opac-sendbasketform.tt | 5 ++++ opac/opac-sendbasket.pl | 25 ++++++++++++++++--- 4 files changed, 58 insertions(+), 10 deletions(-) diff --git a/basket/sendbasket.pl b/basket/sendbasket.pl index 16155d785b..802ca33679 100755 --- a/basket/sendbasket.pl +++ b/basket/sendbasket.pl @@ -20,16 +20,18 @@ use Modern::Perl; use CGI qw ( -utf8 ); use Encode qw(encode); use Carp; - +use Digest::MD5 qw(md5_base64); use Mail::Sendmail; use MIME::QuotedPrint; use MIME::Base64; + use C4::Biblio; use C4::Items; use C4::Auth; use C4::Output; use C4::Templates (); use Koha::Email; +use Koha::Token; my $query = new CGI; @@ -43,12 +45,24 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user ( } ); -my $bib_list = $query->param('bib_list'); +my $bib_list = $query->param('bib_list') || ''; my $email_add = $query->param('email_add'); my $dbh = C4::Context->dbh; +my $csrf_err; if ( $email_add ) { + $csrf_err = 1 unless Koha::Token->new->check_csrf({ + id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + token => scalar $query->param('csrf_token'), + }); +} + +if( $csrf_err ) { + $template->param( csrf_error => 1, email_add => 1 ); + output_html_with_http_headers $query, $cookie, $template->output; +} elsif ( $email_add ) { my $email = Koha::Email->new(); my %mail = $email->create_message_headers({ to => $email_add }); my $comment = $query->param('comment'); @@ -165,11 +179,16 @@ END_OF_BODY output_html_with_http_headers $query, $cookie, $template->output; } else { - $template->param( bib_list => $bib_list ); $template->param( + bib_list => $bib_list, url => "/cgi-bin/koha/basket/sendbasket.pl", suggestion => C4::Context->preference("suggestion"), virtualshelves => C4::Context->preference("virtualshelves"), + csrf_token => Koha::Token->new->generate_csrf( + { id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + } + ), ); output_html_with_http_headers $query, $cookie, $template->output; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt index ef116fce07..07d004d341 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/basket/sendbasketform.tt @@ -10,6 +10,10 @@

The cart was sent to: [% email_add |html %]

Close window

[% END %] + [% IF csrf_error %] +

No valid CSRF token!

+

Close window

+ [% END %] [% IF ( error ) %]

Problem sending the cart...

[% END %] @@ -28,10 +32,11 @@ -
  • - -
  • -
    Cancel
    + + +
    Cancel
    + + [% END %] diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt index 25b248be13..e1f8f60df6 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt @@ -19,6 +19,10 @@

    Close window

    [% END %] + [% IF csrf_error %] +

    No valid CSRF token!

    +

    Close window

    + [% END %] [% IF ( error ) %]

    There was an error sending the cart.

    @@ -34,6 +38,7 @@ +
    diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl index baa88b5edf..b1f6f3e2fc 100755 --- a/opac/opac-sendbasket.pl +++ b/opac/opac-sendbasket.pl @@ -22,10 +22,11 @@ use Modern::Perl; use CGI qw ( -utf8 ); use Encode qw(encode); use Carp; - +use Digest::MD5 qw(md5_base64); use Mail::Sendmail; use MIME::QuotedPrint; use MIME::Base64; + use C4::Biblio; use C4::Items; use C4::Auth; @@ -33,6 +34,7 @@ use C4::Output; use C4::Members; use C4::Templates (); use Koha::Email; +use Koha::Token; my $query = new CGI; @@ -45,12 +47,24 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user ( } ); -my $bib_list = $query->param('bib_list'); +my $bib_list = $query->param('bib_list') || ''; my $email_add = $query->param('email_add'); my $dbh = C4::Context->dbh; +my $csrf_err; if ( $email_add ) { + $csrf_err = 1 unless Koha::Token->new->check_csrf({ + id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + token => scalar $query->param('csrf_token'), + }); +} + +if( $csrf_err ) { + $template->param( csrf_error => 1, email_add => 1 ); + output_html_with_http_headers $query, $cookie, $template->output; +} elsif ( $email_add ) { my $email = Koha::Email->new(); my $user = GetMember(borrowernumber => $borrowernumber); my $user_email = GetFirstValidEmailAddress($borrowernumber) @@ -185,11 +199,16 @@ END_OF_BODY output_html_with_http_headers $query, $cookie, $template->output; } else { - $template->param( bib_list => $bib_list ); $template->param( + bib_list => $bib_list, url => "/cgi-bin/koha/opac-sendbasket.pl", suggestion => C4::Context->preference("suggestion"), virtualshelves => C4::Context->preference("virtualshelves"), + csrf_token => Koha::Token->new->generate_csrf( + { id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + } + ), ); output_html_with_http_headers $query, $cookie, $template->output; } -- 2.39.5