From c9318041713218fc5217a26c7dcdefdfd1fc69b3 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Wed, 13 Apr 2022 13:55:04 +0100 Subject: [PATCH] Bug 30524: Core CSRF checking code Split out from bug 22990 as requested. Signed-off-by: David Cook Signed-off-by: Kyle M Hall Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi (cherry picked from commit aba9e61cfbab1e915f1be4a527b5708b9ec59c35) Signed-off-by: Fridolin Somers --- C4/Auth.pm | 2 ++ C4/Output.pm | 33 +++++++++++++++---- .../prog/en/includes/csrf-token.inc | 1 + 3 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc diff --git a/C4/Auth.pm b/C4/Auth.pm index 6c308642f9..3e4cf15195 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -51,6 +51,7 @@ use Net::CIDR; use C4::Log qw( logaction ); use Koha::CookieManager; use Koha::Auth::Permissions; +use Koha::Token; # use utf8; @@ -307,6 +308,7 @@ sub get_template_and_user { $template->param( loggedinusernumber => $borrowernumber ); # FIXME Should be replaced with logged_in_user.borrowernumber $template->param( logged_in_user => $patron ); $template->param( sessionID => $sessionID ); + $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $sessionID })); if ( $in->{'type'} eq 'opac' ) { require Koha::Virtualshelves; diff --git a/C4/Output.pm b/C4/Output.pm index 42c4011ca0..94bc8e0f95 100644 --- a/C4/Output.pm +++ b/C4/Output.pm @@ -34,6 +34,7 @@ use URI::Escape; use C4::Auth qw( get_template_and_user ); use C4::Context; use C4::Templates; +use Koha::Token; our (@ISA, @EXPORT_OK); @@ -314,9 +315,17 @@ sub is_ajax { To executed at the beginning of scripts to stop the script at this point if some errors are found. -Tests for module 'members': -* patron is not defined (we are looking for a patron that does no longer exist/never existed) -* The logged in user cannot see patron's infos (feature 'cannot_see_patron_infos') +A series of tests can be run for a given module, or a specific check. +Params "module" and "check" are mutually exclusive. + +Tests for modules: +* members: + - Patron is not defined (we are looking for a patron that does no longer exist/never existed) + - The logged in user cannot see patron's infos (feature 'cannot_see_patron_infos') + +Tests for specific check: +* csrf_token + will test if the csrf_token CGI param is valid Others will be added here depending on the needs (for instance biblio does not exist will be useful). @@ -332,16 +341,28 @@ sub output_and_exit_if_error { if ( not $current_patron ) { $error = 'unknown_patron'; } - elsif( not $logged_in_user->can_see_patron_infos( $current_patron ) ) { + elsif ( not $logged_in_user->can_see_patron_infos($current_patron) ) + { $error = 'cannot_see_patron_infos'; } - } elsif ( $params->{module} eq 'cataloguing' ) { + } + elsif ( $params->{module} eq 'cataloguing' ) { # We are testing the record to avoid additem to fetch the Koha::Biblio # But in the long term we will want to get a biblio in parameter $error = 'unknown_biblio' unless $params->{record}; } } - + elsif ( $params and exists $params->{check} ) { + if ( $params->{check} eq 'csrf_token' ) { + $error = 'wrong_csrf_token' + unless Koha::Token->new->check_csrf( + { + session_id => scalar $query->cookie('CGISESSID'), + token => scalar $query->param('csrf_token'), + } + ); + } + } output_and_exit( $query, $cookie, $template, $error ) if $error; return; } diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc new file mode 100644 index 0000000000..703d4eb036 --- /dev/null +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/csrf-token.inc @@ -0,0 +1 @@ + -- 2.39.2