From 6f324aaf8647729d509eebf063a0181f9f9196f7 Mon Sep 17 00:00:00 2001 From: Martin Gruner Date: Fri, 20 Dec 2013 15:05:06 +0100 Subject: [PATCH] Fixed bug#10099: Missing challenge token checks on customer interface. Conflicts: CHANGES.md --- CHANGES.md | 1 + Kernel/Modules/CustomerPreferences.pm | 2 +- Kernel/Modules/CustomerTicketMessage.pm | 4 ++++ Kernel/Modules/CustomerTicketProcess.pm | 2 +- Kernel/Modules/CustomerTicketZoom.pm | 4 ++++ Kernel/Output/HTML/Layout.pm | 14 ++++++++++---- 6 files changed, 21 insertions(+), 6 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8d184884e38..4cee71794e0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,5 @@ #3.2.14 201?-??-?? + - 2013-12-20 Fixed bug#[10099](http://bugs.otrs.org/show_bug.cgi?id=10099) - Missing challenge token checks on customer interface. - 2013-12-17 Fixed bug#[10103](http://bugs.otrs.org/show_bug.cgi?id=10103) - ArticleTypeID is always undef in AgentTicketCompose. - 2013-12-12 Added functionality to disable access to tickets of other customers with the same customer company in customer interface. - 2013-12-12 Fixed bug#[9650](http://bugs.otrs.org/show_bug.cgi?id=9650) - Special character in customer id breaks Open Tickets in AgentTicketZoom. diff --git a/Kernel/Modules/CustomerPreferences.pm b/Kernel/Modules/CustomerPreferences.pm index 6b0a1517247..aa88d7a92ce 100644 --- a/Kernel/Modules/CustomerPreferences.pm +++ b/Kernel/Modules/CustomerPreferences.pm @@ -44,7 +44,7 @@ sub Run { if ( $Self->{Subaction} eq 'Update' ) { # challenge token check for write action - $Self->{LayoutObject}->ChallengeTokenCheck(); + $Self->{LayoutObject}->ChallengeTokenCheck(Type => 'Customer'); # check group param my $Group = $Self->{ParamObject}->GetParam( Param => 'Group' ) || ''; diff --git a/Kernel/Modules/CustomerTicketMessage.pm b/Kernel/Modules/CustomerTicketMessage.pm index 8afcad30cab..327c1dc8f4e 100644 --- a/Kernel/Modules/CustomerTicketMessage.pm +++ b/Kernel/Modules/CustomerTicketMessage.pm @@ -193,6 +193,10 @@ sub Run { return $Output; } elsif ( $Self->{Subaction} eq 'StoreNew' ) { + + # challenge token check for write action + $Self->{LayoutObject}->ChallengeTokenCheck(Type => 'Customer'); + my $NextScreen = $Self->{Config}->{NextScreenAfterNewTicket}; my %Error; diff --git a/Kernel/Modules/CustomerTicketProcess.pm b/Kernel/Modules/CustomerTicketProcess.pm index 15265cc6dc5..1bc6459e6fa 100644 --- a/Kernel/Modules/CustomerTicketProcess.pm +++ b/Kernel/Modules/CustomerTicketProcess.pm @@ -227,7 +227,7 @@ sub Run { } if ( $Self->{Subaction} eq 'StoreActivityDialog' && $ProcessEntityID ) { - $Self->{LayoutObject}->ChallengeTokenCheck(); + $Self->{LayoutObject}->ChallengeTokenCheck(Type => 'Customer'); return $Self->_StoreActivityDialog( %Param, diff --git a/Kernel/Modules/CustomerTicketZoom.pm b/Kernel/Modules/CustomerTicketZoom.pm index 6b41ed95d75..276fb8afed3 100644 --- a/Kernel/Modules/CustomerTicketZoom.pm +++ b/Kernel/Modules/CustomerTicketZoom.pm @@ -305,6 +305,10 @@ sub Run { # check follow up elsif ( $Self->{Subaction} eq 'Store' ) { + + # challenge token check for write action + $Self->{LayoutObject}->ChallengeTokenCheck(Type => 'Customer'); + my $NextScreen = $Self->{NextScreen} || $Self->{Config}->{NextScreenAfterFollowUp}; my %Error; diff --git a/Kernel/Output/HTML/Layout.pm b/Kernel/Output/HTML/Layout.pm index 360987d3115..69b8382e784 100644 --- a/Kernel/Output/HTML/Layout.pm +++ b/Kernel/Output/HTML/Layout.pm @@ -1151,11 +1151,17 @@ sub ChallengeTokenCheck { } # no valid token found - $Self->FatalError( - Message => 'Invalid Challenge Token!', - ); + if ($Param{Type} && lc $Param{Type} eq 'customer') { + $Self->CustomerFatalError( + Message => 'Invalid Challenge Token!', + ); + } + else { + $Self->FatalError( + Message => 'Invalid Challenge Token!', + ); + } - # ChallengeToken ok return; }