git.koha-community.org Git - koha.git/commit

Bug 17097: Fix CSRF in deletemem.pl

If an attacker can get an authenticated Koha user to visit their page
with the url below, they can delete patrons details.

/members/deletemem.pl?member=42

Test plan:

0/ Do not apply any patches
1/ Adapt and hit the url above
=> The patron will be deleted without confirmation
2/ Apply first patch
3/ Hit the url
=> you will get a confirmation page
4/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> The patron will be deleted without confirmation
5/ Apply the second patch (this one)
6/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> you will get a crash "Wrong CSRF token" (no need to stylish)
7/ Delete a patron from the detail page and confirm the deletion
=> you will be redirected to the patron module home page and the patron
has been deleted

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Tue, 9 Aug 2016 21:29:25 +0000 (22:29 +0100)
committer	Kyle M Hall <kyle@bywatersolutions.com>
	Thu, 18 Aug 2016 15:55:24 +0000 (15:55 +0000)
commit	fcf38896bd738767c3a9c4c1e8909a199f480a30
tree	12104ce6385f0f33df6ced3a3f62690576c2f466	tree \| snapshot
parent	13a61279523b35370f7b3adeb0f47ad30bfa937d	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/members/deletemem.tt		diff \| blob \| history
members/deletemem.pl		diff \| blob \| history