]> git.koha-community.org Git - koha.git/commit
projects / koha.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0646478) | patch
Bug 17116: Fix CSRF in import_borrowers.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 12 Aug 2016 10:36:06 +0000 (11:36 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Fri, 2 Sep 2016 13:47:02 +0000 (13:47 +0000)
commit6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1
treecf0bd1445cbf3a5057e6495e64b60ea4a74cf9f2tree | snapshot
parent0646478be01a63fa0b6dc666f23a915ceefd5619commit | diff
Bug 17116: Fix CSRF in import_borrowers.pl

If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' information

The exploit can be simulated triggering
  /tools/import_borrowers.pl?uploadborrowers=42

In that case it won't do anything wrong, but it you POST a valid file,
it could.

Test plan:
Trigger the url above
=> Without this patch, you will the result page
=> With this patch, you will get the "Wrong CSRF token" error.

Regression test:
Import a valid file from the import patron form, everything should go
fine.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt diff | blob | history
tools/import_borrowers.pl diff | blob | history
Main Koha release repository