Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add also GET action sepa... protected by CSRF

Browse Source
This commit is contained in:
Laurent Destailleur 2023-08-04 00:22:46 +02:00
parent 6062a60625
commit 296aa8cd06
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/main.inc.php
View File

@ -538,7 +538,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$sensitiveget = true;
}
} elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) {
// Few GET actions coded with a &token into url are processed as sensitive.
// Few GET actions coded with a &token into url are also processed as sensitive.
$arrayofactiontoforcetokencheck = array(
'activate',
'doprev', 'donext', 'dvprev', 'dvnext',
@ -549,7 +549,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$sensitiveget = true;
}
// We also match for value with just a simple string that must match
if (preg_match('/^(add|classify|close|confirm|copy|del|disable|enable|remove|set|unset|update|save)/', GETPOST('action', 'aZ09'))) {
if (preg_match('/^(add|classify|close|confirm|copy|del|disable|enable|remove|set|unset|update|save|sepa)/', GETPOST('action', 'aZ09'))) {
$sensitiveget = true;
}
}