Bug 17146: Raise Wrong CSRF token warnin for the 'Delete' action

author Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Mon, 5 Sep 2016 09:44:06 +0000 (10:44 +0100)

committer Kyle M Hall <kyle@bywatersolutions.com>

Thu, 15 Sep 2016 13:33:58 +0000 (13:33 +0000)
author Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mon, 5 Sep 2016 09:44:06 +0000 (10:44 +0100)
committer Kyle M Hall <kyle@bywatersolutions.com>
Thu, 15 Sep 2016 13:33:58 +0000 (13:33 +0000)
diff --git a/tools/picture-upload.pl b/tools/picture-upload.pl

index 6aeed8a..7e403bb 100755 (executable)
--- a/tools/picture-upload.pl
+++ b/tools/picture-upload.pl
@@ -173,6 +173,13 @@ elsif ( ( $op eq 'Upload' ) && !$uploadfile ) {
      $template->param( filetype   => $filetype );
  }
  elsif ( $op eq 'Delete' ) {
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => C4::Context->userenv->{id},
+            secret => md5_base64( C4::Context->config('pass') ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
      my $deleted = eval {
          Koha::Patron::Images->find( $borrowernumber )->delete;
      };
author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Mon, 5 Sep 2016 09:44:06 +0000 (10:44 +0100)
committer	Kyle M Hall <kyle@bywatersolutions.com>
	Thu, 15 Sep 2016 13:33:58 +0000 (13:33 +0000)