From 4374ecebadddeb4a8e6d97dd3e15c01cd892c154 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 25 Jun 2024 12:24:25 +0200 Subject: [PATCH] Fix CSRF = 3 for cancel and clone --- htdocs/commande/card.php | 2 +- htdocs/fourn/commande/card.php | 4 ++-- htdocs/main.inc.php | 2 +- htdocs/projet/card.php | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index cd02c46b653..025d223ad2a 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -3089,7 +3089,7 @@ if ($action == 'create' && $usercancreate) { // Clone if ($usercancreate) { - print dolGetButtonAction('', $langs->trans('ToClone'), 'default', $_SERVER["PHP_SELF"].'?action=clone&token='.newToken().'&id='.$object->id.'&socid='.$object->socid, ''); + print dolGetButtonAction('', $langs->trans('ToClone'), 'default', $_SERVER["PHP_SELF"].'?action=clone&token='.newToken().'&id='.$object->id.'&socid='.$object->socid, ''); } // Cancel order diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index d8f5aa2fbb8..1235ee651fb 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -2717,13 +2717,13 @@ if ($action == 'create') { // Clone if ($usercancreate) { - print ''.$langs->trans("ToClone").''; + print ''.$langs->trans("ToClone").''; } // Cancel if ($object->statut == CommandeFournisseur::STATUS_ACCEPTED) { if ($usercanorder) { - print ''.$langs->trans("CancelOrder").''; + print ''.$langs->trans("CancelOrder").''; } } diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 7d3daf1971f..511cc0a7bf2 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -625,7 +625,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt( // Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request) $sensitiveget = false; if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) { - // All GET actions (except the listed exception that are post actions) and mass actions are processed as sensitive. + // All GET actions (except the listed exceptions that are usually post for pre-actions and not real action) and mass actions are processed as sensitive. if (GETPOSTISSET('massaction') || !in_array(GETPOST('action', 'aZ09'), array('create', 'createsite', 'createcard', 'edit', 'editvalidator', 'file_manager', 'presend', 'presend_addmessage', 'preview', 'specimen'))) { // We exclude some action that are not sensitive so legitimate $sensitiveget = true; } diff --git a/htdocs/projet/card.php b/htdocs/projet/card.php index 15fa1fe4001..6b1edad2c23 100644 --- a/htdocs/projet/card.php +++ b/htdocs/projet/card.php @@ -1666,7 +1666,7 @@ if ($action == 'create' && $user->hasRight('projet', 'creer')) { // Clone if ($user->hasRight('projet', 'creer')) { if ($userWrite > 0) { - print dolGetButtonAction('', $langs->trans('ToClone'), 'default', $_SERVER["PHP_SELF"].'?action=clone&token='.newToken().'&id='.$object->id, ''); + print dolGetButtonAction('', $langs->trans('ToClone'), 'default', $_SERVER["PHP_SELF"].'?action=clone&token='.newToken().'&id='.((int) $object->id), ''); } else { print dolGetButtonAction($langs->trans('NotOwnerOfProject'), $langs->trans('ToClone'), 'default', $_SERVER['PHP_SELF']. '#', '', false); }