From d2b2c61ff99c660be510339b8d83e719b9e054e4 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 16 Mar 2020 16:26:48 +0100 Subject: [PATCH] Bug 24878: Add authentication checks to the calendar tool There is a security hole in 2 scripts that are used by the UI to edit holidays. To test: 1) Go to Tools -> Calendar, for Centerville Check no holiday for 30/4/2020 2) To add a new holiday without login execute a curl command with necessary parameters 3) Reload page from 1), verify the new holiday edit and delete the holiday 4) Apply the patch 5) Do 2) again, this time you get a lengthy output, with the magic words: Koha › Log in to Koha Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Nick Clemens Signed-off-by: Martin Renvoize --- tools/exceptionHolidays.pl | 3 +++ tools/newHolidays.pl | 2 ++ 2 files changed, 5 insertions(+) diff --git a/tools/exceptionHolidays.pl b/tools/exceptionHolidays.pl index 90b17bc6cf..1f3b9672fb 100755 --- a/tools/exceptionHolidays.pl +++ b/tools/exceptionHolidays.pl @@ -14,6 +14,9 @@ use Koha::DateUtils; my $input = new CGI; my $dbh = C4::Context->dbh(); +checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet'); + + my $branchcode = $input->param('showBranchName'); my $weekday = $input->param('showWeekday'); my $day = $input->param('showDay'); diff --git a/tools/newHolidays.pl b/tools/newHolidays.pl index a161eaf1c8..f13e52447b 100755 --- a/tools/newHolidays.pl +++ b/tools/newHolidays.pl @@ -33,6 +33,8 @@ use Koha::DateUtils; my $input = new CGI; my $dbh = C4::Context->dbh(); +checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet'); + our $branchcode = $input->param('newBranchName'); my $originalbranchcode = $branchcode; our $weekday = $input->param('newWeekday'); -- 2.39.5