From 593e1dc5840f59d1c8f7fb457fe580b907f46385 Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Tue, 25 Jul 2023 05:18:00 +0000
Subject: [PATCH] Bug 34368: Add CSRF token to Content Management pages

This change adds a CSRF token to the Content Management pages
at additional-contents.pl.

Test plan:
0. Apply patch
1. koha-plack --restart kohadev
2. Try to add "News", "HTML customizations", and "Pages".
3. Try to delete these new content entries
4. Note that you were successful in your endeavours

JD amended patch: remove empty line removal (no need to create
unecessary conflicts)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 .../prog/en/modules/tools/additional-contents.tt              | 2 ++
 tools/additional-contents.pl                                  | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
index 84cda9311d..650ee9de53 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/additional-contents.tt
@@ -201,6 +201,7 @@
     </div>
 
     <form id="add_additional_content" method="post" action="/cgi-bin/koha/tools/additional-contents.pl" class="validate">
+        [% INCLUDE 'csrf-token.inc' %]
         <input type="hidden" name="op" value="add_validate" />
         <input type="hidden" name="category" value="[% category | html %]" />
         <input type="hidden" name="code" value="[% additional_content.code | html %]" />
@@ -454,6 +455,7 @@
                 <fieldset class="action"><input type="submit" class="btn btn-primary" value="Delete selected" /></fieldset>
             </form>
             <form action="/cgi-bin/koha/tools/additional-contents.pl" method="post" id="delete_single">
+                [% INCLUDE 'csrf-token.inc' %]
                 <input type="hidden" id="del_op" name="op" value="delete_confirmed" />
                 <input type="hidden" id="del_category" name="category" value="[% category | html %]" />
                 <input type="hidden" id="del_ids" name="ids" />
diff --git a/tools/additional-contents.pl b/tools/additional-contents.pl
index 46f358f9d7..e066bb8fee 100755
--- a/tools/additional-contents.pl
+++ b/tools/additional-contents.pl
@@ -28,7 +28,7 @@ use C4::Auth qw(get_template_and_user);
 use C4::Koha;
 use C4::Context;
 use C4::Log qw( logaction );
-use C4::Output qw(output_html_with_http_headers);
+use C4::Output qw(output_html_with_http_headers output_and_exit_if_error);
 use C4::Languages qw(getTranslatedLanguages);
 use Koha::DateUtils qw( dt_from_string output_pref );
 
@@ -84,6 +84,7 @@ if ( $op eq 'add_form' ) {
     );
 }
 elsif ( $op eq 'add_validate' ) {
+    output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
     my $location   = $cgi->param('location');
     my $code       = $cgi->param('code');
     my $branchcode = $cgi->param('branchcode') || undef;
@@ -199,6 +200,7 @@ elsif ( $op eq 'add_validate' ) {
     }
 }
 elsif ( $op eq 'delete_confirmed' ) {
+    output_and_exit_if_error($cgi, $cookie, $template, { check => 'csrf_token' });
     my @ids = $cgi->multi_param('ids');
     my $deleted = eval {
 
-- 
2.39.5