From 59424c312660e272847d8a208dbfd7940a6b26bf Mon Sep 17 00:00:00 2001
From: Benjamin Dalsass <benjamin.dalsass@combodo.com>
Date: Tue, 17 May 2022 09:02:06 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B04976=20-=20CSRF=20in=20import=20page?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pages/csvimport.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pages/csvimport.php b/pages/csvimport.php
index 9f4b566a2..a8ce680f6 100644
--- a/pages/csvimport.php
+++ b/pages/csvimport.php
@@ -197,6 +197,11 @@ try {
 			throw new CoreException(Dict::S('UI:ActionNotAllowed'));
 		}
 
+		// CSRF transaction id verification
+		if(!$bSimulate && !utils::IsTransactionValid(utils::ReadPostedParam('transaction_id', '', 'raw_data'))){
+			throw new CoreException(Dict::S('UI:Error:InvalidToken'));
+		}
+
 		$aResult = array();
 		$sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data');
 		$sCSVDataTruncated = utils::ReadParam('csvdata_truncated', '', false, 'raw_data');
@@ -487,11 +492,12 @@ try {
 			$sHtml .= "<td class=\"$sCSSMessageClass\" style=\"background-color:#f1f1f1;\">$sMessage</td>";
 			$sHtml .= '</tr>';
 		}
-		
+
 		$iUnchanged = count($aRes) - $iErrors - $iModified - $iCreated;
 		$sHtml .= '</table>';
 		$oPage->add('<div class="wizContainer" style="width:auto;display:inline-block;">');
 		$oPage->add('<form enctype="multipart/form-data" id="wizForm" method="post">');
+		$oPage->add('<input type="hidden" name="transaction_id" value="' . utils::GetNewTransactionId() . '">');
 		$oPage->add('<input type="hidden" name="step" value="'.($iCurrentStep+1).'"/>');
 		$oPage->add('<input type="hidden" name="separator" value="'.htmlentities($sSeparator, ENT_QUOTES, 'UTF-8').'"/>');
 		$oPage->add('<input type="hidden" name="text_qualifier" value="'.htmlentities($sTextQualifier, ENT_QUOTES, 'UTF-8').'"/>');