From 314fe71ff8c0714acaed84ad3453eb9622445861 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 4 Aug 2023 11:37:52 +0200 Subject: [PATCH] Bug 34478: Remove check_csrf from pl files We should no longer need to check CSRF token from pl files TODO - there is a change for some files where we returned 403 Signed-off-by: Jonathan Druart --- C4/Output.pm | 1 - authorities/authorities-home.pl | 7 ------- basket/sendbasket.pl | 8 -------- ill/ill-requests.pl | 5 ----- members/apikeys.pl | 13 ------------- members/cancel-charge.pl | 11 ----------- members/mancredit.pl | 9 --------- members/maninvoice.pl | 9 --------- members/member-flags.pl | 8 -------- members/member-password.pl | 7 ------- members/memberentry.pl | 7 ------- members/paycollect.pl | 7 ------- members/two_factor_auth.pl | 3 --- opac/opac-memberentry.pl | 6 ------ opac/opac-messaging.pl | 5 ----- opac/opac-sendbasket.pl | 8 -------- opac/opac-user.pl | 7 ------- opac/sco/sco-patron-image.pl | 16 ---------------- 18 files changed, 137 deletions(-) diff --git a/C4/Output.pm b/C4/Output.pm index 94bc8e0f95..d8ea0bfb52 100644 --- a/C4/Output.pm +++ b/C4/Output.pm @@ -34,7 +34,6 @@ use URI::Escape; use C4::Auth qw( get_template_and_user ); use C4::Context; use C4::Templates; -use Koha::Token; our (@ISA, @EXPORT_OK); diff --git a/authorities/authorities-home.pl b/authorities/authorities-home.pl index de0be05000..2d73a6a280 100755 --- a/authorities/authorities-home.pl +++ b/authorities/authorities-home.pl @@ -33,7 +33,6 @@ use C4::Languages; use Koha::Authority::Types; use Koha::SearchEngine::Search; use Koha::SearchEngine::QueryBuilder; -use Koha::Token; use Koha::XSLT::Base; use Koha::Z3950Servers; @@ -58,12 +57,6 @@ if ( $op eq "delete" ) { } ); - output_and_exit( $query, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf({ - session_id => scalar $query->cookie('CGISESSID'), - token => scalar $query->param('csrf_token'), - }); - DelAuthority({ authid => $authid }); # FIXME No error handling here, DelAuthority needs adjustments $pending_deletion_authid = $authid; diff --git a/basket/sendbasket.pl b/basket/sendbasket.pl index e15f8a2e1f..352e90c7ae 100755 --- a/basket/sendbasket.pl +++ b/basket/sendbasket.pl @@ -30,7 +30,6 @@ use C4::Output qw( output_and_exit output_html_with_http_headers ); use C4::Templates; use Koha::Biblios; use Koha::Email; -use Koha::Token; my $query = CGI->new; @@ -49,13 +48,6 @@ my $email_add = $query->param('email_add'); my $dbh = C4::Context->dbh; if ($email_add) { - output_and_exit( $query, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf( - { - session_id => scalar $query->cookie('CGISESSID'), - token => scalar $query->param('csrf_token'), - } - ); my $patron = Koha::Patrons->find($borrowernumber); my $user_email = $patron->notice_email_address; diff --git a/ill/ill-requests.pl b/ill/ill-requests.pl index d6cd2e2354..a8c59f7fb0 100755 --- a/ill/ill-requests.pl +++ b/ill/ill-requests.pl @@ -31,7 +31,6 @@ use Koha::Illbatches; use Koha::Illrequest::Workflow::Availability; use Koha::Illrequest::Workflow::TypeDisclaimer; use Koha::Libraries; -use Koha::Token; use Koha::Plugins; use Try::Tiny qw( catch try ); @@ -408,10 +407,6 @@ if ( $backends_available ) { } } elsif ( $op eq "save_comment" ) { - die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - session_id => scalar $cgi->cookie('CGISESSID'), - token => scalar $cgi->param('csrf_token'), - }); my $comment = Koha::Illcomment->new({ illrequest_id => scalar $params->{illrequest_id}, borrowernumber => $patronnumber, diff --git a/members/apikeys.pl b/members/apikeys.pl index 883c194886..3aa4fa925c 100755 --- a/members/apikeys.pl +++ b/members/apikeys.pl @@ -26,7 +26,6 @@ use C4::Output qw( output_and_exit output_html_with_http_headers ); use Koha::ApiKeys; use Koha::Patrons; -use Koha::Token; my $cgi = CGI->new; @@ -60,18 +59,6 @@ if( $patron_id != $loggedinuser && !C4::Context->IsSuperLibrarian() ) { my $op = $cgi->param('op') // ''; -if ( $op eq 'generate' or - $op eq 'delete' or - $op eq 'revoke' or - $op eq 'activate' ) { - - output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf({ - session_id => scalar $cgi->cookie('CGISESSID'), - token => scalar $cgi->param('csrf_token'), - }); -} - if ($op) { if ( $op eq 'generate' ) { my $description = $cgi->param('description') // ''; diff --git a/members/cancel-charge.pl b/members/cancel-charge.pl index 5483342863..5748fa54c4 100755 --- a/members/cancel-charge.pl +++ b/members/cancel-charge.pl @@ -20,7 +20,6 @@ use Modern::Perl; use CGI; use C4::Auth qw( checkauth ); -use Koha::Token; my $cgi = CGI->new; @@ -33,16 +32,6 @@ my $flags = { my $type = 'intranet'; my ($user, $cookie) = C4::Auth::checkauth($cgi, $authnotrequired, $flags, $type); -my $csrf_token_is_valid = Koha::Token->new->check_csrf( { - session_id => scalar $cgi->cookie('CGISESSID'), - token => scalar $cgi->param('csrf_token'), -}); -unless ($csrf_token_is_valid) { - print $cgi->header('text/plain', '403 Forbidden'); - print 'Wrong CSRF token'; - exit; -} - my $borrowernumber = $cgi->param('borrowernumber'); my $accountlines_id = $cgi->param('accountlines_id'); diff --git a/members/mancredit.pl b/members/mancredit.pl index bd422863fb..12b11a9575 100755 --- a/members/mancredit.pl +++ b/members/mancredit.pl @@ -36,8 +36,6 @@ use Koha::Patron::Categories; use Koha::Account::CreditTypes; use Koha::AdditionalFields; -use Koha::Token; - my $input = CGI->new; my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { @@ -70,13 +68,6 @@ my $library_id = my $add = $input->param('add'); if ($add) { - output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf( - { - session_id => scalar $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - } - ); # Note: If the logged in user is not allowed to see this patron an invoice can be forced # Here we are trusting librarians not to hack the system diff --git a/members/maninvoice.pl b/members/maninvoice.pl index e622c553fa..959035751b 100755 --- a/members/maninvoice.pl +++ b/members/maninvoice.pl @@ -31,7 +31,6 @@ use C4::Output qw( output_and_exit_if_error output_and_exit output_html_with_htt use CGI qw ( -utf8 ); use C4::Members; use C4::Accounts; -use Koha::Token; use Koha::Patrons; use Koha::Items; @@ -91,14 +90,6 @@ $template->param( my $add = $input->param('add'); if ($add) { - output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf( - { - session_id => scalar $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - } - ); - # Note: If the logged in user is not allowed to see this patron an invoice can be forced # Here we are trusting librarians not to hack the system my $desc = $input->param('desc'); diff --git a/members/member-flags.pl b/members/member-flags.pl index 3aa500b1c0..c1f737db32 100755 --- a/members/member-flags.pl +++ b/members/member-flags.pl @@ -15,7 +15,6 @@ use Koha::Patron::Categories; use Koha::Patrons; use C4::Output qw( output_and_exit_if_error output_and_exit output_html_with_http_headers ); -use Koha::Token; my $input = CGI->new; @@ -47,13 +46,6 @@ $member2{'borrowernumber'}=$member; if ($input->param('newflags')) { - output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf({ - session_id => scalar $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - }); - - my $dbh=C4::Context->dbh(); my @perms = $input->multi_param('flag'); diff --git a/members/member-password.pl b/members/member-password.pl index 9b6ebd23b6..5cc5f4c448 100755 --- a/members/member-password.pl +++ b/members/member-password.pl @@ -10,7 +10,6 @@ use C4::Auth qw( get_template_and_user ); use C4::Output qw( output_and_exit_if_error output_and_exit output_html_with_http_headers ); use C4::Context; use CGI qw ( -utf8 ); -use Koha::Token; use Koha::Patrons; use Koha::Patron::Categories; @@ -57,12 +56,6 @@ push( @errors, 'NOMATCH' ) if ( ( $newpassword && $newpassword2 ) && ( $newpassw if ( $newpassword and not @errors) { - output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf({ - session_id => scalar $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - }); - try { $patron->set_password({ password => $newpassword }); $patron->userid($new_user_id)->store diff --git a/members/memberentry.pl b/members/memberentry.pl index 76086cb411..714cb01377 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -47,7 +47,6 @@ use Koha::Patron::HouseboundRole; use Koha::Patron::HouseboundRoles; use Koha::Policy::Patrons::Cardnumber; use Koha::Plugins; -use Koha::Token; use Koha::SMS::Providers; my $input = CGI->new; @@ -303,12 +302,6 @@ $newdata{'lang'} = $input->param('lang') if defined($input->param('lang')) my $extended_patron_attributes; if ($op eq 'save' || $op eq 'insert'){ - output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf({ - session_id => scalar $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - }); - # If the cardnumber is blank, treat it as null. $newdata{'cardnumber'} = undef if $newdata{'cardnumber'} =~ /^\s*$/; diff --git a/members/paycollect.pl b/members/paycollect.pl index e90358ddd6..03b45af68d 100755 --- a/members/paycollect.pl +++ b/members/paycollect.pl @@ -34,7 +34,6 @@ use Koha::AuthorisedValues; use Koha::Account; use Koha::Account::Lines; use Koha::AdditionalFields; -use Koha::Token; use Koha::DateUtils qw( output_pref ); my $input = CGI->new(); @@ -149,12 +148,6 @@ if ( $total_paid and $total_paid ne '0.00' ) { total_paid => $total_paid ); } else { - output_and_exit( $input, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf( { - session_id => $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - }); - my $url; my $pay_result; if ($pay_individual) { diff --git a/members/two_factor_auth.pl b/members/two_factor_auth.pl index 5a1e28860d..7ebd23ab47 100755 --- a/members/two_factor_auth.pl +++ b/members/two_factor_auth.pl @@ -24,7 +24,6 @@ use C4::Output qw( output_and_exit output_html_with_http_headers ); use Koha::Patrons; use Koha::Auth::TwoFactorAuth; -use Koha::Token; my $cgi = CGI->new; @@ -57,8 +56,6 @@ else { }; if ( $op eq 'disable-2FA' ) { - output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) - unless Koha::Token->new->check_csrf($csrf_pars); my $auth = Koha::Auth::TwoFactorAuth->new( { patron => $logged_in_user } ); $logged_in_user->secret(undef); diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index c7dcba0fd0..4934085d00 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -43,7 +43,6 @@ use Koha::Patron::Attributes; use Koha::Patron::Images; use Koha::Patron::Categories; use Koha::Policy::Patrons::Cardnumber; -use Koha::Token; use Koha::AuthorisedValues; my $cgi = CGI->new; my $dbh = C4::Context->dbh; @@ -315,11 +314,6 @@ if ( $action eq 'create' ) { elsif ( $action eq 'update' ) { my $borrower = Koha::Patrons->find( $borrowernumber )->unblessed; - die "Wrong CSRF token" - unless Koha::Token->new->check_csrf({ - session_id => scalar $cgi->cookie('CGISESSID'), - token => scalar $cgi->param('csrf_token'), - }); my %borrower = ParseCgiForBorrower($cgi); $borrower{borrowernumber} = $borrowernumber; diff --git a/opac/opac-messaging.pl b/opac/opac-messaging.pl index fd239a7614..7553bd73d0 100755 --- a/opac/opac-messaging.pl +++ b/opac/opac-messaging.pl @@ -28,7 +28,6 @@ use C4::Members::Messaging; use C4::Form::MessagingPreferences; use Koha::Patrons; use Koha::SMS::Providers; -use Koha::Token; my $query = CGI->new(); my $opac_messaging = C4::Context->preference('EnhancedMessagingPreferencesOPAC'); @@ -53,10 +52,6 @@ my $messaging_options; $messaging_options = C4::Members::Messaging::GetMessagingOptions() if $opac_messaging; if ( defined $query->param('modify') && $query->param('modify') eq 'yes' ) { - die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ - session_id => scalar $query->cookie('CGISESSID'), - token => scalar $query->param('csrf_token'), - }); if( $opac_messaging ) { my $sms = $query->param('SMSnumber'); diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl index 9ffb46a220..abbec91115 100755 --- a/opac/opac-sendbasket.pl +++ b/opac/opac-sendbasket.pl @@ -33,7 +33,6 @@ use C4::Templates; use Koha::Biblios; use Koha::Email; use Koha::Patrons; -use Koha::Token; my $query = CGI->new; @@ -49,13 +48,6 @@ my $bib_list = $query->param('bib_list') || ''; my $email_add = $query->param('email_add'); if ( $email_add ) { - die "Wrong CSRF token" - unless Koha::Token->new->check_csrf( - { - session_id => scalar $query->cookie('CGISESSID'), - token => scalar $query->param('csrf_token'), - } - ); my $patron = Koha::Patrons->find($borrowernumber); my $user_email = $patron->notice_email_address; diff --git a/opac/opac-user.pl b/opac/opac-user.pl index 3d44e9828f..a1b8b9f910 100755 --- a/opac/opac-user.pl +++ b/opac/opac-user.pl @@ -48,7 +48,6 @@ use Koha::Patron::Discharge; use Koha::Patrons; use Koha::Ratings; use Koha::Recalls; -use Koha::Token; use constant ATTRIBUTE_SHOW_BARCODE => 'SHOW_BCODE'; @@ -90,12 +89,6 @@ $template->param( shibbolethAuthentication => C4::Context->config('useshibboleth my $patron = Koha::Patrons->find( $borrowernumber ); if( $op eq 'cud-update_arc' && C4::Context->preference("AllowPatronToControlAutorenewal") ){ - die "Wrong CSRF token" - unless Koha::Token->new->check_csrf({ - session_id => scalar $query->cookie('CGISESSID'), - token => scalar $query->param('csrf_token'), - }); - my $autorenew_checkouts = $query->param('borrower_autorenew_checkouts'); $patron->autorenew_checkouts( $autorenew_checkouts )->store() if defined $autorenew_checkouts; } diff --git a/opac/sco/sco-patron-image.pl b/opac/sco/sco-patron-image.pl index 36e86b7d13..e311e01fe6 100755 --- a/opac/sco/sco-patron-image.pl +++ b/opac/sco/sco-patron-image.pl @@ -23,7 +23,6 @@ use C4::Service; use C4::Members; use Koha::Patron::Images; use Koha::Patrons; -use Koha::Token; my ( $query, $response ) = C4::Service->init( self_check => 'self_checkout_module' ); @@ -49,21 +48,6 @@ my $patron_image = $patron->image; if ($patron_image) { - unless ( - Koha::Token->new->check_csrf( - { - session_id => scalar $query->cookie('CGISESSID') - . $patron->cardnumber, - id => $patron->userid, - token => $csrf_token, - } - ) - ) - { - - print $query->header(-type => 'text/plain', -status => '403 Forbidden'); - exit; - } print $query->header( -type => $patron_image->mimetype, -Content_Length => length( $patron_image->imagefile ) -- 2.39.5