From 649bfe1ee2dc4825d44e7d9d200e8a21f8d8d430 Mon Sep 17 00:00:00 2001 From: David Cook Date: Mon, 17 Feb 2020 06:50:49 +0000 Subject: [PATCH] Bug 24673: Add CSRF token support to opac-messaging.pl This patch adds CSRF token support to opac-messaging.pl, which allows users to manually update their messaging preferences, but prevents bad actors from tricking people into updating their preferences from cross-site requests. Test plan: 0. Set SMSSendDriver global system preference to "Test" if unset 1. Log into the OPAC 2. Navigate to a URL in your browser like the following: http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes &1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444 3. Observe that the preference and SMS number update 4. Apply the patch 5. Navigate to a URL in your browser like the following: http://localhost:8080/cgi-bin/koha/opac-messaging.pl?modify=yes &1=email&digest=1&2-DAYS=5&2=email&digest=2&4=email&SMSnumber=0444444444 6. Observe that you get an error message of "Wrong CSRF token" instead of the previous behaviour 7. Navigate to a URL in your browser like the following: http://localhost:8080/cgi-bin/koha/opac-messaging.pl 8. Update "Advance notice" to 3 and update "SMS number" to 61111111111 9. Observe that the "Advance notice" and "SMS number" fields update correctly Signed-off-by: Jonathan Druart Signed-off-by: Martin Renvoize --- .../bootstrap/en/modules/opac-messaging.tt | 1 + opac/opac-messaging.pl | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt index 3d25f5372f..7fd4786503 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-messaging.tt @@ -29,6 +29,7 @@

Settings updated

[% END %]
+ diff --git a/opac/opac-messaging.pl b/opac/opac-messaging.pl index 496c2addec..210f9446c0 100755 --- a/opac/opac-messaging.pl +++ b/opac/opac-messaging.pl @@ -31,6 +31,7 @@ use C4::Members::Messaging; use C4::Form::MessagingPreferences; use Koha::Patrons; use Koha::SMS::Providers; +use Koha::Token; my $query = CGI->new(); @@ -55,6 +56,11 @@ my $patron = Koha::Patrons->find( $borrowernumber ); # FIXME and if borrowernumb my $messaging_options = C4::Members::Messaging::GetMessagingOptions(); if ( defined $query->param('modify') && $query->param('modify') eq 'yes' ) { + die "Wrong CSRF token" unless Koha::Token->new->check_csrf({ + session_id => scalar $query->cookie('CGISESSID'), + token => scalar $query->param('csrf_token'), + }); + my $sms = $query->param('SMSnumber'); my $sms_provider_id = $query->param('sms_provider_id'); $patron->set({ @@ -78,4 +84,11 @@ if ( C4::Context->preference("SMSSendDriver") eq 'Email' ) { $template->param( sms_providers => \@providers, sms_provider_id => $patron->sms_provider_id ); } +my $new_session_id = $cookie->value; +$template->param( + csrf_token => Koha::Token->new->generate_csrf({ + session_id => $new_session_id, + }), +); + output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 }; -- 2.39.5