From d6f99f0df11e824353fa051b595b01bf8b4ac28d Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Thu, 3 May 2018 11:52:24 +0000 Subject: [PATCH] Bug 20701: Add csrf protection to maninvoice.pl TO test: 1 - Be signed in to Koha 2 - Add a manual invoice to an account, works fine 3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save 4 - Apply patches 5 - Test that everything continues to work as expected (but more securely) 6 - Try adding a new invoice via URL 7 - Should get 'internal server error' and wrong csrf token in logs Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/members/maninvoice.tt | 1 + members/maninvoice.pl | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt index 7aedf4454c..2e139f7c1c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt @@ -36,6 +36,7 @@ [% END %] [% ELSE %]
+
Manual invoice
    diff --git a/members/maninvoice.pl b/members/maninvoice.pl index 84ed122ade..f210a85d4b 100755 --- a/members/maninvoice.pl +++ b/members/maninvoice.pl @@ -31,6 +31,7 @@ use C4::Members; use C4::Accounts; use C4::Items; use C4::Members::Attributes qw(GetBorrowerAttributes); +use Koha::Token; use Koha::Patrons; @@ -50,6 +51,11 @@ unless ( $patron ) { my $add=$input->param('add'); if ($add){ if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) { + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf( { + session_id => scalar $input->cookie('CGISESSID'), + token => scalar $input->param('csrf_token'), + }); # Note: If the logged in user is not allowed to see this patron an invoice can be forced # Here we are trusting librarians not to hack the system my $barcode=$input->param('barcode'); @@ -75,6 +81,7 @@ if ($add){ if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) { $template->param( 'ITEMNUMBER' => 1 ); } + $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) ); $template->param( 'ERROR' => $error ); output_html_with_http_headers $input, $cookie, $template->output; } else { @@ -122,6 +129,7 @@ if ($add){ } $template->param( + csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }), patron => $patron, finesview => 1, ); -- 2.39.5