From e0d8356d9d2ac0b6338fe3ca7454e2e90a6c4a41 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 25 Jul 2023 05:18:00 +0000 Subject: [PATCH] Bug 34368: Add CSRF token to Content Management pages This change adds a CSRF token to the Content Management pages at additional-contents.pl. Test plan: 0. Apply patch 1. koha-plack --restart kohadev 2. Try to add "News", "HTML customizations", and "Pages". 3. Try to delete these new content entries 4. Note that you were successful in your endeavours JD amended patch: remove empty line removal (no need to create unecessary conflicts) Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit e97fae72141446b0a2fb06c454c601966e5f3494) Signed-off-by: Fridolin Somers --- .../prog/en/modules/tools/additional-contents.tt | 2 ++ tools/additional-contents.pl | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt index 6fbe8edc95..979f3d70d8 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt @@ -201,6 +201,7 @@
+ [% INCLUDE 'csrf-token.inc' %] @@ -454,6 +455,7 @@
+ [% INCLUDE 'csrf-token.inc' %] diff --git a/tools/additional-contents.pl b/tools/additional-contents.pl index 46f358f9d7..e066bb8fee 100755 --- a/tools/additional-contents.pl +++ b/tools/additional-contents.pl @@ -28,7 +28,7 @@ use C4::Auth qw(get_template_and_user); use C4::Koha; use C4::Context; use C4::Log qw( logaction ); -use C4::Output qw(output_html_with_http_headers); +use C4::Output qw(output_html_with_http_headers output_and_exit_if_error); use C4::Languages qw(getTranslatedLanguages); use Koha::DateUtils qw( dt_from_string output_pref ); @@ -84,6 +84,7 @@ if ( $op eq 'add_form' ) { ); } elsif ( $op eq 'add_validate' ) { + output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' }); my $location = $cgi->param('location'); my $code = $cgi->param('code'); my $branchcode = $cgi->param('branchcode') || undef; @@ -199,6 +200,7 @@ elsif ( $op eq 'add_validate' ) { } } elsif ( $op eq 'delete_confirmed' ) { + output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' }); my @ids = $cgi->multi_param('ids'); my $deleted = eval { -- 2.39.5