git.koha-community.org Git - koha.git/commit

Bug 17146: Fix CSRF in picture-upload.pl

If an attacker can get an authenticated Koha user to visit their page
with the
url below, they can change or delete patrons' images
/tools/picture-upload.pl?op=Delete&borrowernumber=42

Test plan:
1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42
And confirm that you get a "Wrong CSRF token" error
2/ Go on the patron detail page with a patron's image
3/ Click on the Delete link (note the csrf_token param)
4/ The image will be deleted and you are redirected to the patron detail
page.

Regression tests:
Upload an image from the patron detail page and from the "upload patron
images" tool.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>

author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Thu, 18 Aug 2016 14:52:38 +0000 (15:52 +0100)
committer	Mason James <mtj@kohaaloha.com>
	Wed, 3 May 2017 02:35:48 +0000 (14:35 +1200)
commit	8aa1e40953960adfdc3d8cbde76f61903846d99c
tree	712a823492a8c20abe10285e11277fd1c7f1d32c	tree \| snapshot
parent	e1a72e9d21a1fab90257b5fde4579e2b6c6a6ee9	commit \| diff

koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt		diff \| blob \| history
koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt		diff \| blob \| history
members/moremember.pl		diff \| blob \| history
tools/picture-upload.pl		diff \| blob \| history