From be2b61f9e510a3bca629e12422a4e3529a9e473d Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Mon, 5 Sep 2016 10:44:06 +0100
Subject: [PATCH] Bug 17146: Raise Wrong CSRF token warnin for the 'Delete'
 action

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---
 tools/picture-upload.pl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl
index 6aeed8ace3..7e403bba71 100755
--- a/tools/picture-upload.pl
+++ b/tools/picture-upload.pl
@@ -173,6 +173,13 @@ elsif ( ( $op eq 'Upload' ) && !$uploadfile ) {
     $template->param( filetype   => $filetype );
 }
 elsif ( $op eq 'Delete' ) {
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => C4::Context->userenv->{id},
+            secret => md5_base64( C4::Context->config('pass') ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
     my $deleted = eval {
         Koha::Patron::Images->find( $borrowernumber )->delete;
     };
-- 
2.39.2