From 1df8ee19943b6d112eba85bbab308ba8b550ed67 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 5 Apr 2024 08:58:06 +0200 Subject: [PATCH] Bug 36532: Protect opac-dismiss-message.pl from malicious usages Really bad design, NEVER retrieve the logged in user from the CGI param! See comment 1 for more info Signed-off-by: Owen Leonard Signed-off-by: David Cook (cherry picked from commit a40e1fd62c7320ad5f7b8514ba2bd129aad2d10f) Signed-off-by: Fridolin Somers --- .../opac-tmpl/bootstrap/en/includes/opac-note.inc | 1 - opac/opac-dismiss-message.pl | 12 ++++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc index 6ed5e724f2..09562c9b3d 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-note.inc @@ -9,7 +9,6 @@
-
[% END %] diff --git a/opac/opac-dismiss-message.pl b/opac/opac-dismiss-message.pl index 789825c035..0b4026cbc0 100755 --- a/opac/opac-dismiss-message.pl +++ b/opac/opac-dismiss-message.pl @@ -35,10 +35,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( } ); -my $patron_id = $query->param('patron_id'); -my $patron = Koha::Patrons->find( $patron_id ); -my $message_id = $query->param('message_id'); -my $message = $patron->messages->find( $message_id ); +my $logged_in_user = Koha::Patrons->find($borrowernumber); +my $message_id = $query->param('message_id'); +my $message = $logged_in_user->messages->find($message_id); + +unless ($message) { + print $query->redirect("/cgi-bin/koha/errors/404.pl"); + exit; +} unless ( $message ) { # exit early -- 2.39.5