From 730d1fd57d982735522b3c7c1bc4d421255c2107 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Thu, 3 May 2018 11:52:24 +0000 Subject: [PATCH] Bug 20701: Add csrf protection to maninvoice.pl TO test: 1 - Be signed in to Koha 2 - Add a manual invoice to an account, works fine 3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save 4 - Apply patches 5 - Test that everything continues to work as expected (but more securely) 6 - Try adding a new invoice via URL 7 - Should get 'internal server error' and wrong csrf token in logs Works OK. Signed-off-by: Amit Gupta Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens --- .../intranet-tmpl/prog/en/modules/members/maninvoice.tt | 1 + members/maninvoice.pl | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt index 8fc1f68a59..77778ee1e4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt @@ -48,6 +48,7 @@ $(document).ready(function(){ [% END %] [% ELSE %]
+
Manual invoice
    diff --git a/members/maninvoice.pl b/members/maninvoice.pl index 6c646c14a4..a6429aa40d 100755 --- a/members/maninvoice.pl +++ b/members/maninvoice.pl @@ -32,6 +32,7 @@ use C4::Members; use C4::Accounts; use C4::Items; use C4::Members::Attributes qw(GetBorrowerAttributes); +use Koha::Token; use Koha::Patrons; @@ -50,6 +51,11 @@ unless ( $patron ) { my $add=$input->param('add'); if ($add){ + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) { # print $input->header; my $barcode=$input->param('barcode'); @@ -75,6 +81,7 @@ if ($add){ if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) { $template->param( 'ITEMNUMBER' => 1 ); } + $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) ); $template->param( 'ERROR' => $error ); output_html_with_http_headers $input, $cookie, $template->output; } else { @@ -123,6 +130,7 @@ if ($add){ $template->param(%{ $patron->unblessed }); $template->param( + csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }), finesview => 1, borrowernumber => $borrowernumber, categoryname => $patron->category->description, -- 2.39.5