From cce493764a9ec4cfba2557731cbb452c1b3e07a2 Mon Sep 17 00:00:00 2001
From: Nick Clemens <nick@bywatersolutions.com>
Date: Thu, 3 May 2018 11:52:24 +0000
Subject: [PATCH] Bug 20701: Add csrf protection to maninvoice.pl

TO test:
1 - Be signed in to Koha
2 - Add a manual invoice to an account, works fine
3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save
4 - Apply patches
5 - Test that everything continues to work as expected (but more securely)
6 - Try adding a new invoice via URL
7 - Should get 'internal server error' and wrong csrf token in logs

Works OK.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 730d1fd57d982735522b3c7c1bc4d421255c2107)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../intranet-tmpl/prog/en/modules/members/maninvoice.tt   | 1 +
 members/maninvoice.pl                                     | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
index 8fc1f68a59..77778ee1e4 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
@@ -48,6 +48,7 @@ $(document).ready(function(){
 [% END %]
 [% ELSE %]
 <form action="/cgi-bin/koha/members/maninvoice.pl" method="post" id="maninvoice"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
 	<fieldset class="rows">
 	<legend>Manual invoice</legend>
 	<ol>
diff --git a/members/maninvoice.pl b/members/maninvoice.pl
index 3f49598e0e..7f79e55f79 100755
--- a/members/maninvoice.pl
+++ b/members/maninvoice.pl
@@ -33,6 +33,7 @@ use C4::Accounts;
 use C4::Items;
 use C4::Members::Attributes qw(GetBorrowerAttributes);
 use Koha::Patron::Images;
+use Koha::Token;
 
 use Koha::Patron::Categories;
 
@@ -46,6 +47,11 @@ my $borrowernumber=$input->param('borrowernumber');
 my $data=GetMember('borrowernumber'=>$borrowernumber);
 my $add=$input->param('add');
 if ($add){
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf( {
+            session_id => $input->cookie('CGISESSID'),
+            token => scalar $input->param('csrf_token'),
+        });
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
         #  print $input->header;
         my $barcode=$input->param('barcode');
@@ -71,6 +77,7 @@ if ($add){
             if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) {
                 $template->param( 'ITEMNUMBER' => 1 );
             }
+            $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) );
             $template->param( 'ERROR' => $error );
             output_html_with_http_headers $input, $cookie, $template->output;
         } else {
@@ -120,6 +127,7 @@ if ($add){
 
     $template->param(%$data);
     $template->param(
+        csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
         finesview      => 1,
         borrowernumber => $borrowernumber,
         categoryname   => $data->{'description'},
-- 
2.39.5