From eb991bfcf96290aabf0c05085a8eaedafc530530 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 26 May 2016 11:52:19 +0100
Subject: [PATCH] Bug 16593: Do not allow patrons to delete search history of
 others patrons
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.

To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB

Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface

Reported by Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f01720808a574af9872ef3f562a8f3cee7f81060)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 0974bb38889dc5ca2b0abf68715a296d49087f3e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
---
 catalogue/search-history.pl | 3 ++-
 opac/opac-search-history.pl | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/catalogue/search-history.pl b/catalogue/search-history.pl
index 4a8251f54a..f6714e11c6 100755
--- a/catalogue/search-history.pl
+++ b/catalogue/search-history.pl
@@ -46,7 +46,8 @@ if ( $action eq 'delete' ) {
         : q{};
     C4::Search::History::delete(
         {
-            id => [ $cgi->param('id') ],
+            userid => $loggedinuser,
+            id     => [ $cgi->param('id') ],
         }
     );
     # Redirecting to this same url so the user won't see the search history link in the header
diff --git a/opac/opac-search-history.pl b/opac/opac-search-history.pl
index 4858b5ac8d..34b0e84c63 100755
--- a/opac/opac-search-history.pl
+++ b/opac/opac-search-history.pl
@@ -103,7 +103,8 @@ unless ( $loggedinuser ) {
         if ( @id ) {
             C4::Search::History::delete(
                 {
-                    id => [ $cgi->param('id') ],
+                    userid => $loggedinuser,
+                    id     => [ $cgi->param('id') ],
                 }
             );
         } else {
-- 
2.20.1