From b35dd15a4a64cc13e4c7c9c24e32a56f4cd43c66 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 19 Aug 2015 15:42:10 +0100
Subject: [PATCH] Bug 14566: Fix permissions in patronimage.pl

There is no permission needed to access the patronimage.pl script.
This means anybody cans access to the patron's images.

Test plan:
Add an image to borrowernumber 42 and call
/cgi-bin/koha/members/patronimage.pl?borrowernumber=42

If you are logged in with borrowers permissions, you will see the image,
otherwise you will get a blank page with a 403 header.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
---
 members/patronimage.pl | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/members/patronimage.pl b/members/patronimage.pl
index 1218ae463e..eb4dc88db0 100755
--- a/members/patronimage.pl
+++ b/members/patronimage.pl
@@ -20,17 +20,17 @@
 #
 #
 
-use strict;
-use warnings;
+use Modern::Perl;
 
-use CGI qw ( -utf8 ); #qw(:standard escapeHTML);
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_api_auth );
 use C4::Context;
 use C4::Members;
 
 $|=1;
 
 my $DEBUG = 0;
-my $data = new CGI;
+my $query = new CGI;
 my $borrowernumber;
 
 =head1 NAME
@@ -47,8 +47,17 @@ This script, when called from within HTML and passed a valid patron borrowernumb
 
 =cut
 
-if ($data->param('borrowernumber')) {
-    $borrowernumber = $data->param('borrowernumber');
+my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} );
+
+unless ( $status eq 'ok' ) {
+    print $query->header(-type => 'text/plain', -status => '403 Forbidden');
+    exit 0;
+}
+
+
+
+if ($query->param('borrowernumber')) {
+    $borrowernumber = $query->param('borrowernumber');
 } else {
     $borrowernumber = shift;
 }
@@ -67,7 +76,7 @@ if ($dberror) {
 # things will result... you have been warned!
 
 if ($imagedata) {
-    print $data->header (-type => $imagedata->{'mimetype'}, -'Cache-Control' => 'no-store', -Content_Length => length ($imagedata->{'imagefile'})), $imagedata->{'imagefile'};
+    print $query->header (-type => $imagedata->{'mimetype'}, -'Cache-Control' => 'no-store', -Content_Length => length ($imagedata->{'imagefile'})), $imagedata->{'imagefile'};
     exit;
 } else {
     warn "No image exists for $borrowernumber";
-- 
2.20.1