Bug 20701: Add csrf protection to maninvoice.pl

TO test:
1 - Be signed in to Koha
2 - Add a manual invoice to an account, works fine
3 - Now do it via url: http://localhost:8081/cgi-bin/koha/members/maninvoice.pl?borrowernumber=5&type=test&amount=5&add=Save
4 - Apply patches
5 - Test that everything continues to work as expected (but more securely)
6 - Try adding a new invoice via URL
7 - Should get 'internal server error' and wrong csrf token in logs

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
index 7aedf44..2e139f7 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/maninvoice.tt
@@ -36,6 +36,7 @@
 [% END %]
 [% ELSE %]
 <form action="/cgi-bin/koha/members/maninvoice.pl" method="post" id="maninvoice"><input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber %]" />
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
        <fieldset class="rows">
        <legend>Manual invoice</legend>
        <ol>

diff --git a/members/maninvoice.pl b/members/maninvoice.pl
index 84ed122..f210a85 100755 (executable)
--- a/members/maninvoice.pl
+++ b/members/maninvoice.pl
@@ -31,6 +31,7 @@ use C4::Members;
 use C4::Accounts;
 use C4::Items;
 use C4::Members::Attributes qw(GetBorrowerAttributes);
+use Koha::Token;
 
 use Koha::Patrons;
 
@@ -50,6 +51,11 @@ unless ( $patron ) {
 my $add=$input->param('add');
 if ($add){
     if ( checkauth( $input, 0, $flagsrequired, 'intranet' ) ) {
+        die "Wrong CSRF token"
+            unless Koha::Token->new->check_csrf( {
+                session_id => scalar $input->cookie('CGISESSID'),
+                token => scalar $input->param('csrf_token'),
+            });
         # Note: If the logged in user is not allowed to see this patron an invoice can be forced
         # Here we are trusting librarians not to hack the system
         my $barcode=$input->param('barcode');
@@ -75,6 +81,7 @@ if ($add){
             if ( $error =~ /FOREIGN KEY/ && $error =~ /itemnumber/ ) {
                 $template->param( 'ITEMNUMBER' => 1 );
             }
+            $template->param( csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }) );
             $template->param( 'ERROR' => $error );
             output_html_with_http_headers $input, $cookie, $template->output;
         } else {
@@ -122,6 +129,7 @@ if ($add){
     }
 
     $template->param(
+        csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $input->cookie('CGISESSID') }),
         patron         => $patron,
         finesview      => 1,
     );