From 654f2bc2e588305bb10b2dc0b7756dbe53238d64 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 4 Oct 2017 17:49:51 -0300 Subject: [PATCH] Bug 19117: Add CSRF protection to paycollect.pl Security bug, trivial changes, no need to provide procedure for script kiddies. Test plan: Pay fines using the different options from the "Pay fines" tab. Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Katrin Fischer --- .../intranet-tmpl/prog/en/modules/members/paycollect.tt | 3 +++ members/paycollect.pl | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt index 069ad690e3..0f9cf7919c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/paycollect.tt @@ -101,6 +101,7 @@ function moneyFormat(textObj) { [% IF ( pay_individual ) %]
+ @@ -156,6 +157,7 @@ function moneyFormat(textObj) {
[% ELSIF ( writeoff_individual ) %]
+
Write off an individual fine @@ -197,6 +199,7 @@ function moneyFormat(textObj) { [% ELSE %] + diff --git a/members/paycollect.pl b/members/paycollect.pl index e0a6ad2c3d..ab3247de47 100755 --- a/members/paycollect.pl +++ b/members/paycollect.pl @@ -30,6 +30,7 @@ use C4::Accounts; use C4::Koha; use Koha::Patron::Images; use Koha::Account; +use Koha::Token; use Koha::Patron::Categories; @@ -110,6 +111,12 @@ if ( $total_paid and $total_paid ne '0.00' ) { total_due => $total_due ); } else { + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); + if ($individual) { if ( $total_paid == $total_due ) { makepayment( $accountlines_id, $borrowernumber, $accountno, $total_paid, $user, @@ -154,6 +161,8 @@ $template->param( total => $total_due, RoutingSerials => C4::Context->preference('RoutingSerials'), ExtendedPatronAttributes => C4::Context->preference('ExtendedPatronAttributes'), + + csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }), ); output_html_with_http_headers $input, $cookie, $template->output; -- 2.39.5