From f662781321de1d8af85b26d1361288413236868b Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 3 May 2017 13:00:54 -0300
Subject: [PATCH] FIX CSRF for opac-memberentry.pl

---
 .../bootstrap/en/modules/opac-memberentry.tt  |  1 +
 opac/opac-memberentry.pl                      | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-memberentry.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-memberentry.tt
index f8dc51264e..5ff762e4d6 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-memberentry.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-memberentry.tt
@@ -904,6 +904,7 @@
                     [% IF OPACPatronDetails %]
                         <fieldset class="action">
                             <input type="hidden" name="action" value="update" />
+                            <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                             <input type="submit" class="btn" value="Submit update request" />
                         </fieldset>
                     [% END %]
diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl
index bb30a61405..17416c5a71 100755
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@@ -20,6 +20,7 @@ use Modern::Perl;
 use CGI qw ( -utf8 );
 use Digest::MD5 qw( md5_base64 md5_hex );
 use String::Random qw( random_string );
+
 use C4::Auth;
 use C4::Output;
 use C4::Members;
@@ -31,6 +32,7 @@ use C4::Scrubber;
 use Email::Valid;
 use Koha::DateUtils;
 use Koha::Patron::Images;
+use Koha::Token;
 
 my $cgi = new CGI;
 my $dbh = C4::Context->dbh;
@@ -179,6 +181,12 @@ if ( $action eq 'create' ) {
 elsif ( $action eq 'update' ) {
 
     my $borrower = GetMember( borrowernumber => $borrowernumber );
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            session_id => scalar $cgi->cookie('CGISESSID'),
+            token  => scalar $cgi->param('csrf_token'),
+        });
+
     my %borrower = ParseCgiForBorrower($cgi);
 
     my %borrower_changes = DelEmptyFields(%borrower);
@@ -193,7 +201,10 @@ elsif ( $action eq 'update' ) {
         $template->param(
             empty_mandatory_fields => \@empty_mandatory_fields,
             invalid_form_fields    => $invalidformfields,
-            borrower               => \%borrower
+            borrower               => \%borrower,
+            csrf_token             => Koha::Token->new->generate_csrf({
+                session_id => scalar $cgi->cookie('CGISESSID'),
+            }),
         );
 
         $template->param( action => 'edit' );
@@ -225,6 +236,9 @@ elsif ( $action eq 'update' ) {
                 action => 'edit',
                 nochanges => 1,
                 borrower => GetMember( borrowernumber => $borrowernumber ),
+                csrf_token => Koha::Token->new->generate_csrf({
+                    session_id => scalar $cgi->cookie('CGISESSID'),
+                }),
             );
         }
     }
@@ -244,6 +258,9 @@ elsif ( $action eq 'edit' ) {    #Display logged in borrower's data
         borrower  => $borrower,
         guarantor => scalar Koha::Patrons->find($borrowernumber)->guarantor(),
         hidden => GetHiddenFields( $mandatory, 'modification' ),
+        csrf_token => Koha::Token->new->generate_csrf({
+            session_id => scalar $cgi->cookie('CGISESSID'),
+        }),
     );
 
     if (C4::Context->preference('OPACpatronimages')) {
-- 
2.39.5