git.koha-community.org Git - koha.git/commit

Bug 17097: Fix CSRF in deletemem.pl

If an attacker can get an authenticated Koha user to visit their page
with the url below, they can delete patrons details.

/members/deletemem.pl?member=42

Test plan:

0/ Do not apply any patches
1/ Adapt and hit the url above
=> The patron will be deleted without confirmation
2/ Apply first patch
3/ Hit the url
=> you will get a confirmation page
4/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> The patron will be deleted without confirmation
5/ Apply the second patch (this one)
6/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> you will get a crash "Wrong CSRF token" (no need to stylish)
7/ Delete a patron from the detail page and confirm the deletion
=> you will be redirected to the patron module home page and the patron
has been deleted

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>

author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Tue, 9 Aug 2016 21:29:25 +0000 (22:29 +0100)
committer	Mason James <mtj@kohaaloha.com>
	Wed, 3 May 2017 02:01:26 +0000 (14:01 +1200)
commit	08ec3cd0d0aedd3996938e1fb55d7ae855278d7a
tree	6314529a2f52b60459c6a2a22bb1cf8081344840	tree \| snapshot
parent	a0b7acfae15efb6bf120a8b62daf55eff72b56a0	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/members/deletemem.tt		diff \| blob \| history
members/deletemem.pl		diff \| blob \| history