From 6f5e2f8a865ebe07d4745171dda86c2cbb0e6fe1 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 12 Aug 2016 11:36:06 +0100
Subject: [PATCH] Bug 17116: Fix CSRF in import_borrowers.pl

If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' information

The exploit can be simulated triggering
  /tools/import_borrowers.pl?uploadborrowers=42

In that case it won't do anything wrong, but it you POST a valid file,
it could.

Test plan:
Trigger the url above
=> Without this patch, you will the result page
=> With this patch, you will get the "Wrong CSRF token" error.

Regression test:
Import a valid file from the import patron form, everything should go
fine.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---
 .../prog/en/modules/tools/import_borrowers.tt  |  5 ++++-
 tools/import_borrowers.pl                      | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
index d9f25db0c1..4e708c53c4 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/import_borrowers.tt
@@ -191,7 +191,10 @@
     </ol>
     </fieldset>
     [% END %]
-	<fieldset class="action"><input type="submit" value="Import" /></fieldset>
+    <fieldset class="action">
+        <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
+        <input type="submit" value="Import" />
+    </fieldset>
 </form>
 [% END %]
 </div>
diff --git a/tools/import_borrowers.pl b/tools/import_borrowers.pl
index e1754e6efe..d350a7f297 100755
--- a/tools/import_borrowers.pl
+++ b/tools/import_borrowers.pl
@@ -50,6 +50,7 @@ use C4::Templates;
 use Koha::Patron::Debarments;
 use Koha::Patrons;
 use Koha::DateUtils;
+use Koha::Token;
 
 use Text::CSV;
 # Text::CSV::Unicode, even in binary mode, fails to parse lines with these diacriticals:
@@ -58,6 +59,7 @@ use Text::CSV;
 
 use CGI qw ( -utf8 );
 # use encoding 'utf8';    # don't do this
+use Digest::MD5 qw(md5_base64);
 
 my (@errors, @feedback);
 my $extended = C4::Context->preference('ExtendedPatronAttributes');
@@ -110,6 +112,13 @@ my $overwrite_cardnumber = $input->param('overwrite_cardnumber');
 $template->param( SCRIPT_NAME => '/cgi-bin/koha/tools/import_borrowers.pl' );
 
 if ( $uploadborrowers && length($uploadborrowers) > 0 ) {
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => C4::Context->userenv->{id},
+            secret => md5_base64( C4::Context->config('pass') ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
     push @feedback, {feedback=>1, name=>'filename', value=>$uploadborrowers, filename=>$uploadborrowers};
     my $handle = $input->upload('uploadborrowers');
     my $uploadinfo = $input->uploadInfo($uploadborrowers);
@@ -381,6 +390,15 @@ if ( $uploadborrowers && length($uploadborrowers) > 0 ) {
         }
         $template->param(matchpoints => \@matchpoints);
     }
+
+    $template->param(
+        csrf_token => Koha::Token->new->generate_csrf(
+            {   id     => C4::Context->userenv->{id},
+                secret => md5_base64( C4::Context->config('pass') ),
+            }
+        ),
+    );
+
 }
 
 output_html_with_http_headers $input, $cookie, $template->output;
-- 
2.39.5