From e1a72e9d21a1fab90257b5fde4579e2b6c6a6ee9 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 12 Aug 2016 11:36:06 +0100 Subject: [PATCH] Bug 17116: Fix CSRF in import_borrowers.pl If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' information The exploit can be simulated triggering /tools/import_borrowers.pl?uploadborrowers=42 In that case it won't do anything wrong, but it you POST a valid file, it could. Test plan: Trigger the url above => Without this patch, you will the result page => With this patch, you will get the "Wrong CSRF token" error. Regression test: Import a valid file from the import patron form, everything should go fine. Signed-off-by: Chris Cormack Signed-off-by: Marcel de Rooy Signed-off-by: Mason James --- .../intranet-tmpl/prog/en/modules/tools/import_borrowers.tt | 5 ++++- tools/import_borrowers.pl | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt index d9f25db0c1..4e708c53c4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt @@ -191,7 +191,10 @@ [% END %] -
+
+ + +
[% END %] diff --git a/tools/import_borrowers.pl b/tools/import_borrowers.pl index 1ad886c2fa..c93480f62d 100755 --- a/tools/import_borrowers.pl +++ b/tools/import_borrowers.pl @@ -49,6 +49,7 @@ use C4::Reports::Guided; use C4::Templates; use Koha::Patron::Debarments; use Koha::DateUtils; +use Koha::Token; use Text::CSV; # Text::CSV::Unicode, even in binary mode, fails to parse lines with these diacriticals: @@ -56,6 +57,8 @@ use Text::CSV; # č use CGI qw ( -utf8 ); +# use encoding 'utf8'; # don't do this +use Digest::MD5 qw(md5_base64); my (@errors, @feedback); my $extended = C4::Context->preference('ExtendedPatronAttributes'); -- 2.39.5