From 163a1f4d42e2431952c2d9f5bc54237e70e0dbeb Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 3 May 2018 09:09:19 -0300 Subject: [PATCH] Bug 20701: Add csrf protection to mancredit.pl Works OK. Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens (cherry picked from commit fb083c95a2582904d633b84e4eddabce08baf99c) Signed-off-by: Fridolin Somers --- .../prog/en/modules/members/mancredit.tt | 1 + members/mancredit.pl | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt index 65a61a59ea..0f7ffc78ba 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt @@ -36,6 +36,7 @@ $(document).ready(function(){
+
Manual credit
    diff --git a/members/mancredit.pl b/members/mancredit.pl index a26000dc30..94c308e93a 100755 --- a/members/mancredit.pl +++ b/members/mancredit.pl @@ -36,6 +36,7 @@ use C4::Members::Attributes qw(GetBorrowerAttributes); use Koha::Patron::Images; use Koha::Patron::Categories; +use Koha::Token; my $input=new CGI; my $flagsrequired = { borrowers => 1, updatecharges => 1 }; @@ -48,6 +49,15 @@ my $add=$input->param('add'); if ($add){ if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) { + + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); + + # Note: If the logged in user is not allowed to see this patron an invoice can be forced + # Here we are trusting librarians not to hack the system my $barcode = $input->param('barcode'); my $itemnum; if ($barcode) { @@ -99,6 +109,9 @@ if ($add){ borrowernumber => $borrowernumber, categoryname => $data->{'description'}, is_child => ($data->{'category_type'} eq 'C'), + csrf_token => Koha::Token->new->generate_csrf( + { session_id => scalar $input->cookie('CGISESSID') } + ), ); output_html_with_http_headers $input, $cookie, $template->output; } -- 2.39.5