If you have no (valid) token, you will not be able to send the message.
Test plan:
[1] Verify if you can still send the cart from opac and intranet.
[2] While still being logged in, try to send the cart from opac by
using the following URL:
/cgi-bin/koha/opac-sendbasket.pl?email_add=you@somedomain.com&comment=csrf_test&bib_list=doesnotmatter&csrf_token=justsomeguess12345
This should now result in a csrf error.
Signed-off-by: Marc VĂ©ron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
use CGI qw ( -utf8 );
use Encode qw(encode);
use Carp;
-
+use Digest::MD5 qw(md5_base64);
use Mail::Sendmail;
use MIME::QuotedPrint;
use MIME::Base64;
+
use C4::Biblio;
use C4::Items;
use C4::Auth;
use C4::Output;
use C4::Templates ();
use Koha::Email;
+use Koha::Token;
my $query = new CGI;
}
);
-my $bib_list = $query->param('bib_list');
+my $bib_list = $query->param('bib_list') || '';
my $email_add = $query->param('email_add');
my $dbh = C4::Context->dbh;
+my $csrf_err;
if ( $email_add ) {
+ $csrf_err = 1 unless Koha::Token->new->check_csrf({
+ id => C4::Context->userenv->{id},
+ secret => md5_base64( C4::Context->config('pass') ),
+ token => scalar $query->param('csrf_token'),
+ });
+}
+
+if( $csrf_err ) {
+ $template->param( csrf_error => 1, email_add => 1 );
+ output_html_with_http_headers $query, $cookie, $template->output;
+} elsif ( $email_add ) {
my $email = Koha::Email->new();
my %mail = $email->create_message_headers({ to => $email_add });
my $comment = $query->param('comment');
output_html_with_http_headers $query, $cookie, $template->output;
}
else {
- $template->param( bib_list => $bib_list );
$template->param(
+ bib_list => $bib_list,
url => "/cgi-bin/koha/basket/sendbasket.pl",
suggestion => C4::Context->preference("suggestion"),
virtualshelves => C4::Context->preference("virtualshelves"),
+ csrf_token => Koha::Token->new->generate_csrf(
+ { id => C4::Context->userenv->{id},
+ secret => md5_base64( C4::Context->config('pass') ),
+ }
+ ),
);
output_html_with_http_headers $query, $cookie, $template->output;
}
<p>The cart was sent to: [% email_add |html %]</p>
<p><a class="focus close" href="#">Close window</a></p>
[% END %]
+ [% IF csrf_error %]
+ <p>No valid CSRF token!</p>
+ <p><a class="focus close" href="#">Close window</a></p>
+ [% END %]
[% IF ( error ) %]
<p>Problem sending the cart...</p>
[% END %]
<label for="comment">Comment:</label>
<textarea id="comment" name="comment" rows="4" cols="40"></textarea>
</li>
- <li>
- <input type="hidden" name="bib_list" value="[% bib_list %]" />
- </li></ol></fieldset>
- <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
+ </ol>
+ </fieldset>
+ <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
+ <input type="hidden" name="bib_list" value="[% bib_list %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
</form>
[% END %]</div>
<p><a class="focus close" href="#">Close window</a></p>
[% END %]
+ [% IF csrf_error %]
+ <p>No valid CSRF token!</p>
+ <p><a class="focus close" href="#">Close window</a></p>
+ [% END %]
[% IF ( error ) %]
<div class="alert">
<p>There was an error sending the cart.</p>
<label for="comment">Comment:</label>
<textarea id="comment" name="comment" rows="4" cols="40"></textarea>
<input type="hidden" name="bib_list" value="[% bib_list %]" />
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
</fieldset>
<fieldset class="action">
<input type="submit" class="btn" value="Send" />
use CGI qw ( -utf8 );
use Encode qw(encode);
use Carp;
-
+use Digest::MD5 qw(md5_base64);
use Mail::Sendmail;
use MIME::QuotedPrint;
use MIME::Base64;
+
use C4::Biblio;
use C4::Items;
use C4::Auth;
use C4::Members;
use C4::Templates ();
use Koha::Email;
+use Koha::Token;
my $query = new CGI;
}
);
-my $bib_list = $query->param('bib_list');
+my $bib_list = $query->param('bib_list') || '';
my $email_add = $query->param('email_add');
my $dbh = C4::Context->dbh;
+my $csrf_err;
if ( $email_add ) {
+ $csrf_err = 1 unless Koha::Token->new->check_csrf({
+ id => C4::Context->userenv->{id},
+ secret => md5_base64( C4::Context->config('pass') ),
+ token => scalar $query->param('csrf_token'),
+ });
+}
+
+if( $csrf_err ) {
+ $template->param( csrf_error => 1, email_add => 1 );
+ output_html_with_http_headers $query, $cookie, $template->output;
+} elsif ( $email_add ) {
my $email = Koha::Email->new();
my $user = GetMember(borrowernumber => $borrowernumber);
my $user_email = GetFirstValidEmailAddress($borrowernumber)
output_html_with_http_headers $query, $cookie, $template->output;
}
else {
- $template->param( bib_list => $bib_list );
$template->param(
+ bib_list => $bib_list,
url => "/cgi-bin/koha/opac-sendbasket.pl",
suggestion => C4::Context->preference("suggestion"),
virtualshelves => C4::Context->preference("virtualshelves"),
+ csrf_token => Koha::Token->new->generate_csrf(
+ { id => C4::Context->userenv->{id},
+ secret => md5_base64( C4::Context->config('pass') ),
+ }
+ ),
);
output_html_with_http_headers $query, $cookie, $template->output;
}