Bug 16800: Fix XSS in catalogue/*detail.tt - title

[koha.git] / members / member-password.pl

diff --git a/members/member-password.pl b/members/member-password.pl
index 85e4b97..d2255f8 100755 (executable)
--- a/members/member-password.pl
+++ b/members/member-password.pl
@@ -12,11 +12,13 @@ use Koha::AuthUtils;
 use C4::Output;
 use C4::Context;
 use C4::Members;
-use C4::Branch;
 use C4::Circulation;
 use CGI qw ( -utf8 );
 use C4::Members::Attributes qw(GetBorrowerAttributes);
 use Koha::Patron::Images;
+use Koha::Token;
+
+use Koha::Patron::Categories;
 
 use Digest::MD5 qw(md5_base64);
 
@@ -63,10 +65,18 @@ my $minpw = C4::Context->preference('minPasswordLength');
 push( @errors, 'SHORTPASSWORD' ) if ( $newpassword && $minpw && ( length($newpassword) < $minpw ) );
 
 if ( $newpassword && !scalar(@errors) ) {
-    my $digest = Koha::AuthUtils::hash_password( $input->param('newpassword') );
-    my $uid    = $input->param('newuserid');
+
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => C4::Context->userenv->{id},
+            secret => md5_base64( C4::Context->config('pass') ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
+    my $digest = Koha::AuthUtils::hash_password( scalar $input->param('newpassword') );
+    my $uid    = $input->param('newuserid') || $bor->{userid};
     my $dbh    = C4::Context->dbh;
-    if ( changepassword( $uid, $member, $digest ) ) {
+    if ( Koha::Patrons->find( $member )->update_password($uid, $digest) ) {
         $template->param( newpassword => $newpassword );
         if ( $destination eq 'circ' ) {
             print $input->redirect("/cgi-bin/koha/circ/circulation.pl?findborrower=$cardnumber");
@@ -92,11 +102,10 @@ else {
     $template->param( defaultnewpassword => $defaultnewpassword );
 }
 
-if ( $bor->{'category_type'} eq 'C' ) {
-    my ( $catcodes, $labels ) = GetborCatFromCatType( 'A', 'WHERE category_type = ?' );
-    my $cnt = scalar(@$catcodes);
-    $template->param( 'CATCODE_MULTI' => 1 ) if $cnt > 1;
-    $template->param( 'catcode' => $catcodes->[0] ) if $cnt == 1;
+if ( $bor->{'category_type'} eq 'C') {
+    my $patron_categories = Koha::Patron::Categories->search_limited({ category_type => 'A' }, {order_by => ['categorycode']});
+    $template->param( 'CATCODE_MULTI' => 1) if $patron_categories->count > 1;
+    $template->param( 'catcode' => $patron_categories->next )  if $patron_categories->count == 1;
 }
 
 $template->param( adultborrower => 1 ) if ( $bor->{'category_type'} eq 'A' );
@@ -134,13 +143,16 @@ $template->param(
     email                      => $bor->{'email'},
     emailpro                   => $bor->{'emailpro'},
     branchcode                 => $bor->{'branchcode'},
-    branchname                 => GetBranchName( $bor->{'branchcode'} ),
     userid                     => $bor->{'userid'},
     destination                => $destination,
     is_child                   => ( $bor->{'category_type'} eq 'C' ),
     activeBorrowerRelationship => ( C4::Context->preference('borrowerRelationship') ne '' ),
     minPasswordLength          => $minpw,
     RoutingSerials             => C4::Context->preference('RoutingSerials'),
+    csrf_token                 => Koha::Token->new->generate_csrf({
+        id     => C4::Context->userenv->{id},
+        secret => md5_base64( C4::Context->config('pass') ),
+    }),
 );
 
 if ( scalar(@errors) ) {