From 5a7dc0749f581e4c4bc6ec68d3f3ab6bac12afd5 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Tue, 7 Feb 2017 09:09:33 +0100 Subject: [PATCH] Bug 18019: Add CSRF protection to authorities-home.pl (op==delete) Without this patch, it is possible to delete authority records with URL manipulation. Like: /cgi-bin/koha/authorities/authorities-home.pl?op=delete&authid=[XXX] Test plan: [1] Go to Authorities. Search for some authorities (without links). [2] Delete an authority. Should work. [3] Apply patch. [4] Construct an URL like above to delete another authority. Should fail. Under Plack this results in an internal server error, the log tells you: Wrong CSRF token. Signed-off-by: Marcel de Rooy Signed-off-by: Nick Clemens Amended the test plan. Signed-off-by: Jonathan Druart Signed-off-by: Kyle M Hall --- authorities/authorities-home.pl | 13 +++++++++++++ .../prog/en/modules/authorities/searchresultlist.tt | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/authorities/authorities-home.pl b/authorities/authorities-home.pl index 6e0a8fe88d..9b3a55e2c7 100755 --- a/authorities/authorities-home.pl +++ b/authorities/authorities-home.pl @@ -36,6 +36,7 @@ use C4::Search::History; use Koha::Authority::Types; use Koha::SearchEngine::Search; use Koha::SearchEngine::QueryBuilder; +use Koha::Token; my $query = new CGI; my $dbh = C4::Context->dbh; @@ -58,6 +59,12 @@ if ( $op eq "delete" ) { debug => 1, } ); + + die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ + session_id => scalar $query->cookie('CGISESSID'), + token => scalar $query->param('csrf_token'), + }); + &DelAuthority( $authid, 1 ); if ( $query->param('operator') ) { @@ -111,6 +118,12 @@ if ( $op eq "do_search" ) { } ); + $template->param( + csrf_token => Koha::Token->new->generate_csrf({ + session_id => scalar $query->cookie('CGISESSID'), + }), + ); + # search history if (C4::Context->preference('EnableSearchHistory')) { if ( $startfrom == 1) { diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt index 563c44e721..76e45895fa 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/searchresultlist.tt @@ -19,7 +19,8 @@ function confirm_deletion(id) { + "&orderby=[% orderby %]" + "&value=[% value |url %]" + "&startfrom=[% startfrom %]" - + "&resultsperpage=[% resultsperpage %]"; + + "&resultsperpage=[% resultsperpage %]" + + "&csrf_token=[% csrf_token %]"; } } -- 2.39.5