From 75e11d85d0c8f39d920af5610a86e7c8f243a3a5 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Tue, 18 Jan 2022 12:45:17 +0000 Subject: [PATCH] Bug 28786: (QA follow-up) Check the returned CSRF token MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We're doing this in the registering stage and at disabling. Test plan: Ënable two-factor auth but logout/login on another tab. You should get the Wrong CSRF token when submitting. Do similar thing while disabling. Verify that you can register / disable when in the same session. Signed-off-by: Marcel de Rooy Signed-off-by: Fridolin Somers --- members/two_factor_auth.pl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/members/two_factor_auth.pl b/members/two_factor_auth.pl index 3d763d23f3..d5157dfd8a 100755 --- a/members/two_factor_auth.pl +++ b/members/two_factor_auth.pl @@ -24,6 +24,7 @@ use C4::Output qw( output_and_exit output_html_with_http_headers ); use Koha::Patrons; use Koha::Auth::TwoFactorAuth; +use Koha::Token; my $cgi = CGI->new; @@ -44,8 +45,15 @@ unless ( C4::Context->preference('TwoFactorAuthentication') ) { my $logged_in_user = Koha::Patrons->find($loggedinuser); my $op = $cgi->param('op') // ''; +my $csrf_pars = { + session_id => scalar $cgi->cookie('CGISESSID'), + token => scalar $cgi->param('csrf_token'), +}; if ( $op eq 'register-2FA' ) { + output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) + unless Koha::Token->new->check_csrf($csrf_pars); + my $pin_code = $cgi->param('pin_code'); my $secret32 = $cgi->param('secret32'); my $auth = Koha::Auth::TwoFactorAuth->new( @@ -91,6 +99,8 @@ if ( $op eq 'enable-2FA' ) { $op = 'register'; } elsif ( $op eq 'disable-2FA' ) { + output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' ) + unless Koha::Token->new->check_csrf($csrf_pars); $logged_in_user->auth_method('password')->store; } -- 2.39.5