From 83af851c5ea33923756816d0810dc89260e5cf66 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Mon, 24 Jan 2022 10:24:08 +0000 Subject: [PATCH] Bug 29931: [21.05.x] Check cookie status before continuing Test plan: Logout from staff. Try to run plugins-enable (you should have some active plugin). Like: https://yourserver:staffport/cgi-bin/koha/plugins/plugins-enable.pl?class=Koha::Plugin::Test&method=enable Replace class and method as appropriate. Verify that with this patch, you will be redirected to 401 page. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart Signed-off-by: Jonathan Druart Bug 29931: (follow-up) Similar thing in opac-patron-image.pl Although less harmful indeed. No borrowernumber, no image. Signed-off-by: Marcel de Rooy Tested: logged in, logged out, prefs toggled. All fine. Signed-off-by: Jonathan Druart Bug 29931: (follow-up) Fix svc/checkouts and return_claims too Adding the same auth_status check here too. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart Signed-off-by: Andrew Fuerste-Henry --- opac/opac-patron-image.pl | 13 +++++++------ plugins/plugins-enable.pl | 7 +++++-- svc/checkouts | 7 +++++-- svc/return_claims | 7 +++++-- 4 files changed, 22 insertions(+), 12 deletions(-) diff --git a/opac/opac-patron-image.pl b/opac/opac-patron-image.pl index b40788db7e..c4358327da 100755 --- a/opac/opac-patron-image.pl +++ b/opac/opac-patron-image.pl @@ -32,13 +32,14 @@ unless (C4::Context->preference('OPACpatronimages')) { exit; } -my $needed_flags; -my %cookies = CGI::Cookie->fetch; -my $sessid = $cookies{'CGISESSID'}->value; -my ($auth_status, $auth_sessid) = check_cookie_auth($sessid, $needed_flags); -my $borrowernumber = C4::Context->userenv->{'number'}; +my ($auth_status) = check_cookie_auth( $query->cookie('CGISESSID') ); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} -my $patron_image = Koha::Patron::Images->find($borrowernumber); +my $userenv = C4::Context->userenv; +my $patron_image = $userenv ? Koha::Patron::Images->find( $userenv->{number} ) : undef; if ($patron_image) { print $query->header( diff --git a/plugins/plugins-enable.pl b/plugins/plugins-enable.pl index 181550781a..bfaaa41778 100755 --- a/plugins/plugins-enable.pl +++ b/plugins/plugins-enable.pl @@ -27,8 +27,11 @@ die("Koha plugins are disabled!") unless C4::Context->config("enable_plugins"); my $input = CGI->new; -my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID'), { plugins => 'manage' } ); +my ( $auth_status ) = check_cookie_auth( $input->cookie('CGISESSID'), { plugins => 'manage' } ); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} my $class = $input->param('class'); my $method = $input->param('method'); diff --git a/svc/checkouts b/svc/checkouts index 38c0017e2c..ab41bc1538 100755 --- a/svc/checkouts +++ b/svc/checkouts @@ -33,8 +33,11 @@ use Koha::ItemTypes; my $input = CGI->new; -my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID')); +my ( $auth_status, $sessionID ) = check_cookie_auth( $input->cookie('CGISESSID')); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} my $session = get_session($sessionID); my $userid = $session->param('id'); diff --git a/svc/return_claims b/svc/return_claims index 2a616f08e2..878f9a6cfa 100755 --- a/svc/return_claims +++ b/svc/return_claims @@ -31,8 +31,11 @@ use Koha::Patrons; my $input = CGI->new; -my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID') ); +my ( $auth_status, $sessionID ) = check_cookie_auth( $input->cookie('CGISESSID') ); +if( $auth_status ne 'ok' ) { + print CGI::header( '-status' => '401' ); + exit 0; +} my $session = get_session($sessionID); my $userid = $session->param('id'); -- 2.39.5