From dd93d0c662f6a6c0cf2abe236559b30e99f039c4 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 26 May 2016 11:52:19 +0100 Subject: [PATCH] Bug 16593: Do not allow patrons to delete search history of others patrons A malicious user can delete the search history of all other users by correctly guessing the ID value assigned to the victim's search. As searches are assigned values sequentially, an attacker could quickly remove the searches belonging to all of the application's users. To reproduce: Login with patron A launch a search Note the id generated for this search history: select id from search_history order by id desc limit 1; Login with patron B Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id= Note that the row is deleted in the DB Test plan Confirm that this patch fixes the issue. The same test can be made at the staff interface Reported by Alex Middleton at Dionach Signed-off-by: Chris Cormack Signed-off-by: Kyle M Hall Signed-off-by: Chris Cormack --- catalogue/search-history.pl | 3 ++- opac/opac-search-history.pl | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/catalogue/search-history.pl b/catalogue/search-history.pl index e60f20ba34..6b7a18eb34 100755 --- a/catalogue/search-history.pl +++ b/catalogue/search-history.pl @@ -46,7 +46,8 @@ if ( $action eq 'delete' ) { : q{}; C4::Search::History::delete( { - id => [ $cgi->param('id') ], + userid => $loggedinuser, + id => [ $cgi->param('id') ], } ); # Redirecting to this same url so the user won't see the search history link in the header diff --git a/opac/opac-search-history.pl b/opac/opac-search-history.pl index 7df51d90ec..185292e526 100755 --- a/opac/opac-search-history.pl +++ b/opac/opac-search-history.pl @@ -104,7 +104,8 @@ unless ( $loggedinuser ) { if ( @id ) { C4::Search::History::delete( { - id => [ $cgi->param('id') ], + userid => $loggedinuser, + id => [ $cgi->param('id') ], } ); } else { -- 2.39.5