From 96f6c110ed682aaa323e6094e9bfd19fde3b82db Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 16 Mar 2020 16:26:48 +0100 Subject: [PATCH] Bug 24878: Add authentication checks to the calendar tool There is a security hole in 2 scripts that are used by the UI to edit holidays. To test: 1) Go to Tools -> Calendar, for Centerville Check no holiday for 30/4/2020 2) To add a new holiday without login execute a curl command with necessary parameters 3) Reload page from 1), verify the new holiday edit and delete the holiday 4) Apply the patch 5) Do 2) again, this time you get a lengthy output, with the magic words: Koha › Log in to Koha Signed-off-by: Bernardo Gonzalez Kriegel Only tested newHoliday but the fix is the same. No errors Signed-off-by: Nick Clemens Signed-off-by: Joy Nelson (cherry picked from commit 656e7814b34d07534fa3a044f9cc7a8f4f4feea6) Signed-off-by: Lucas Gass --- tools/exceptionHolidays.pl | 3 +++ tools/newHolidays.pl | 2 ++ 2 files changed, 5 insertions(+) diff --git a/tools/exceptionHolidays.pl b/tools/exceptionHolidays.pl index 90b17bc6cf..1f3b9672fb 100755 --- a/tools/exceptionHolidays.pl +++ b/tools/exceptionHolidays.pl @@ -14,6 +14,9 @@ use Koha::DateUtils; my $input = new CGI; my $dbh = C4::Context->dbh(); +checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet'); + + my $branchcode = $input->param('showBranchName'); my $weekday = $input->param('showWeekday'); my $day = $input->param('showDay'); diff --git a/tools/newHolidays.pl b/tools/newHolidays.pl index a161eaf1c8..f13e52447b 100755 --- a/tools/newHolidays.pl +++ b/tools/newHolidays.pl @@ -33,6 +33,8 @@ use Koha::DateUtils; my $input = new CGI; my $dbh = C4::Context->dbh(); +checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet'); + our $branchcode = $input->param('newBranchName'); my $originalbranchcode = $branchcode; our $weekday = $input->param('newWeekday'); -- 2.39.5