Bug 20568: CSRF protection

Edit: fix warning introduced by this patch Signed-off-by: Tomas Cohen Arazi <[email protected]> Signed-off-by: Julian Maurice <[email protected]> Signed-off-by: Jonathan Druart <[email protected]>
ErSKS · May 9, 2018 · 45841d9 · 45841d9
1 parent 28a750f
commit 45841d9
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 4 deletions.
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/apikeys.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/apikeys.tt
@@ -25,6 +25,7 @@
                 <h1>API keys for [% INCLUDE 'patron-title.inc' %]</h1>
                 <form id="add-api-key" action="/cgi-bin/koha/members/apikeys.pl" method="post" style="display:none">
                     <input type="hidden" name="patron_id" value="[% patron.id %]" />
+                    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                     <input type="hidden" name="op" value="generate" />
                     <fieldset class="brief">
                         <legend>Generate new client id/secret pair</legend>
@@ -65,12 +66,14 @@
                                             <form action="/cgi-bin/koha/members/apikeys.pl" method="post">
                                                 <input type="hidden" name="patron_id" value="[% patron.id %]" />
                                                 <input type="hidden" name="key" value="[% key.id %]" />
+                                                <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                                                 <input type="hidden" name="op" value="delete" />
                                                 <button class="btn btn-default btn-xs delete" type="submit"><i class="fa fa-trash"></i> Delete</button>
                                             </form>
                                             <form action="/cgi-bin/koha/members/apikeys.pl" method="post">
                                                 <input type="hidden" name="patron_id" value="[% patron.id %]" />
                                                 <input type="hidden" name="key" value="[% key.id %]" />
+                                                <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                                                 [% IF key.active %]
                                                     <input type="hidden" name="op" value="revoke" />
                                                     <button class="btn btn-default btn-xs" type="submit"><i class="fa fa-remove"></i> Revoke</button>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-apikeys.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-apikeys.tt
@@ -35,6 +35,7 @@
                         <fieldset>
                             <legend>Generate new client id/secret pair</legend>
                             <input type="hidden" name="patron_id" value="[% patron.id %]" />
+                            <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                             <input type="hidden" name="op" value="generate" />
                             <label for="description">Description: </label>
                             <input type="text" name="description" />
@@ -64,11 +65,13 @@
                                         <td>
                                             <form action="/cgi-bin/koha/opac-apikeys.pl" method="post" class="form-inline">
                                                 <input type="hidden" name="key" value="[% key.id %]" />
+                                                <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                                                 <input type="hidden" name="op" value="delete" />
                                                 <button class="btn btn-link btn-xs delete-key" type="submit"><i class="fa fa-trash"></i> Delete</button>
                                             </form>
                                             <form action="/cgi-bin/koha/opac-apikeys.pl" method="post" class="form-inline">
                                                 <input type="hidden" name="key" value="[% key.id %]" />
+                                                <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
                                                 [% IF key.active %]
                                                     <input type="hidden" name="op" value="revoke" />
                                                     <button class="btn btn-link btn-xs" type="submit"><i class="fa fa-remove"></i> Revoke</button>

diff --git a/members/apikeys.pl b/members/apikeys.pl
@@ -26,6 +26,7 @@
 
 use Koha::ApiKeys;
 use Koha::Patrons;
+use Koha::Token;
 
 my $cgi = new CGI;
 
@@ -51,7 +52,19 @@
     exit;
 }
 
-my $op = $cgi->param('op');
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+     $op eq 'delete' or
+     $op eq 'revoke' or
+     $op eq 'activate' ) {
+
+    die "Wrong CSRF token"
+    unless Koha::Token->new->check_csrf({
+        session_id => scalar $cgi->cookie('CGISESSID'),
+        token      => scalar $cgi->param('csrf_token'),
+    });
+}
 
 if ($op) {
     if ( $op eq 'generate' ) {
@@ -102,8 +115,9 @@
 my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
 
 $template->param(
-    api_keys => \@api_keys,
-    patron   => $patron
+    api_keys   => \@api_keys,
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
+    patron     => $patron
 );
 
 output_html_with_http_headers $cgi, $cookie, $template->output;
diff --git a/opac/opac-apikeys.pl b/opac/opac-apikeys.pl
@@ -26,6 +26,7 @@
 
 use Koha::ApiKeys;
 use Koha::Patrons;
+use Koha::Token;
 
 my $cgi = new CGI;
 
@@ -47,7 +48,19 @@
     exit;
 }
 
-my $op = $cgi->param('op');
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+     $op eq 'delete' or
+     $op eq 'revoke' or
+     $op eq 'activate' ) {
+
+    die "Wrong CSRF token"
+    unless Koha::Token->new->check_csrf({
+        session_id => scalar $cgi->cookie('CGISESSID'),
+        token      => scalar $cgi->param('csrf_token'),
+    });
+}
 
 if ($op) {
     if ($op eq 'generate') {
@@ -99,6 +112,7 @@
 $template->param(
     api_keys    => \@api_keys,
     apikeysview => 1,
+    csrf_token  => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
     patron      => $patron
 );