From aa3a2943f67fc6227ce90713cc2f05081e8b91f3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 3 May 2018 09:09:19 -0300 Subject: [PATCH] Bug 20701: Add csrf protection to mancredit.pl Signed-off-by: Jonathan Druart --- .../prog/en/modules/members/mancredit.tt | 1 + members/mancredit.pl | 18 ++++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt index 857eeb8cf7..305910f0da 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/mancredit.tt @@ -32,6 +32,7 @@
+
Manual credit
    diff --git a/members/mancredit.pl b/members/mancredit.pl index 557f517b96..0e8ac3e637 100755 --- a/members/mancredit.pl +++ b/members/mancredit.pl @@ -35,6 +35,7 @@ use C4::Members::Attributes qw(GetBorrowerAttributes); use Koha::Patrons; use Koha::Patron::Categories; +use Koha::Token; my $input=new CGI; my $flagsrequired = { borrowers => 'edit_borrowers', updatecharges => 1 }; @@ -50,6 +51,13 @@ my $add=$input->param('add'); if ($add){ if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) { + + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => scalar $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); + # Note: If the logged in user is not allowed to see this patron an invoice can be forced # Here we are trusting librarians not to hack the system my $barcode = $input->param('barcode'); @@ -93,10 +101,12 @@ if ($add){ ); } - $template->param( patron => $patron ); - $template->param( - finesview => 1, - ); + patron => $patron, + finesview => 1, + csrf_token => Koha::Token->new->generate_csrf( + { session_id => scalar $input->cookie('CGISESSID') } + ), + ); output_html_with_http_headers $input, $cookie, $template->output; } -- 2.39.5