[Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jan 13 14:12:53 CET 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24409
--- Comment #2 from Aman Mishra <aman.mishra77 at gmail.com> ---
I resolved this please chek and update this is right way or not?
Add CSRF token in /usr/share/koha/intranet/cgi-bin/admin/authorised_values.pl
+ after line 32
+use Koha::Token;
+ after line 172
+my $TokenCheck = Koha::Token->new->check_csrf({
session_id => scalar $input->cookie('CGISESSID'),
token => scalar $input->param('csrf_token'),
});
+ after line 180
+if( $TokenCheck ){
+ after line 204
+ }
else {
push @messages, {type => 'error', code => 'wrong_csrf_token' };
}
+ after line 81
+ $template->param(
csrf_token => Koha::Token->new->generate_csrf({
session_id => scalar $input->cookie('CGISESSID'),
}),
);
Add CSRF in
/usr/share/koha/intranet/htdocs/intranet-tmpl/prog/en/modules/admin/authorised_values.tt
+ after line 63
+<input type="hidden" name="csrf_token" value="[% csrf_token | html %]" />
+ after line 184
+ [% CASE 'wrong_csrf_token' %]
<div class="dialog message">The form submission failed (Wrong CSRF
token). Try to come back, refresh the page, then try again.</div>
Now test your application.
Thanks
Aman Mishra
Sr. Software Engineer
Total IT Software Solutions Pvt. Ltd.
India
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list