From 501ad2508a07bd16814e472eeaa140fd5fe76951 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Wed, 23 May 2018 10:37:35 +0000 Subject: [PATCH] Bug 20701: (17.11 follow-up) Move csrf token after checkauth and use scalar (cherry picked from commit 8bbc2f481037867bc188a0c1f27f06205d3c4bfa) Signed-off-by: Fridolin Somers --- members/mancredit.pl | 2 +- members/maninvoice.pl | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/members/mancredit.pl b/members/mancredit.pl index 94c308e93a..c3120ffbe6 100755 --- a/members/mancredit.pl +++ b/members/mancredit.pl @@ -52,7 +52,7 @@ if ($add){ die "Wrong CSRF token" unless Koha::Token->new->check_csrf( { - session_id => $input->cookie('CGISESSID'), + session_id => scalar $input->cookie('CGISESSID'), token => scalar $input->param('csrf_token'), }); diff --git a/members/maninvoice.pl b/members/maninvoice.pl index 7f79e55f79..153b96054c 100755 --- a/members/maninvoice.pl +++ b/members/maninvoice.pl @@ -47,12 +47,12 @@ my $borrowernumber=$input->param('borrowernumber'); my $data=GetMember('borrowernumber'=>$borrowernumber); my $add=$input->param('add'); if ($add){ - die "Wrong CSRF token" - unless Koha::Token->new->check_csrf( { - session_id => $input->cookie('CGISESSID'), - token => scalar $input->param('csrf_token'), - }); if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) { + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => scalar $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); # print $input->header; my $barcode=$input->param('barcode'); my $itemnum; -- 2.39.5