From bcdc6f3956edcd876283ebfa9bcfff886e5c323d Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 4 Oct 2017 17:49:51 -0300
Subject: [PATCH] Bug 19117: Add CSRF protection to paycollect.pl

Security bug, trivial changes, no need to provide procedure for script
kiddies.

Test plan:
Pay fines using the different options from the "Pay fines" tab.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 .../prog/en/modules/members/paycollect.tt           |  7 +++++--
 members/paycollect.pl                               | 13 +++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
index bcf56ae6cd..c3c2ab9ed4 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt
@@ -99,7 +99,8 @@ function moneyFormat(textObj) {
 [% END %]
 
 [% IF ( pay_individual ) %]
-    <form name="payindivfine" id="payindivfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <form name="payindivfine" id="payindivfine" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
     <input type="hidden" name="pay_individual" id="pay_individual" value="[% pay_individual %]" />
     <input type="hidden" name="itemnumber" id="itemnumber" value="[% itemnumber %]" />
@@ -155,6 +156,7 @@ function moneyFormat(textObj) {
     </form>
 [% ELSIF ( writeoff_individual ) %]
     <form name="woindivfine" id="woindivfine" action="/cgi-bin/koha/members/pay.pl" method="post" >
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <fieldset class="rows">
     <legend>Write off an individual fine</legend>
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
@@ -195,7 +197,8 @@ function moneyFormat(textObj) {
     </form>
 [% ELSE %]
 
-    <form name="payfine" id="payfine" onsubmit="return validatePayment(this);" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <form name="payfine" id="payfine" method="post" action="/cgi-bin/koha/members/paycollect.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
     <input type="hidden" name="selected_accts" id="selected_accts" value="[% selected_accts %]" />
     <input type="hidden" name="total" id="total" value="[% total %]" />
diff --git a/members/paycollect.pl b/members/paycollect.pl
index 449fde4720..26c9f46044 100755
--- a/members/paycollect.pl
+++ b/members/paycollect.pl
@@ -30,6 +30,11 @@ use C4::Accounts;
 use C4::Koha;
 use C4::Branch;
 use Koha::Patron::Images;
+use Koha::Patrons;
+use Koha::Account;
+use Koha::Token;
+
+use Koha::Patron::Categories;
 
 my $input = CGI->new();
 
@@ -108,6 +113,12 @@ if ( $total_paid and $total_paid ne '0.00' ) {
             total_due => $total_due
         );
     } else {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => $input->cookie('CGISESSID'),
+                token  => scalar $input->param('csrf_token'),
+            });
+
         if ($individual) {
             if ( $total_paid == $total_due ) {
                 makepayment( $accountlines_id, $borrowernumber, $accountno, $total_paid, $user,
@@ -153,6 +164,8 @@ $template->param(
     total         => $total_due,
     RoutingSerials => C4::Context->preference('RoutingSerials'),
     ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'),
+
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
 );
 
 output_html_with_http_headers $input, $cookie, $template->output;
-- 
2.39.5