diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php
index f2df395060b..8a6d6bbb4ed 100644
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@@ -91,7 +91,13 @@ print '
';
print "PHP session.use_strict_mode = ".(ini_get('session.use_strict_mode') ? ini_get('session.use_strict_mode') : yn(0)).' ('.$langs->trans("RecommendedValueIs", '1').")
\n";
print "PHP session.use_only_cookies = ".(ini_get('session.use_only_cookies') ? ini_get('session.use_only_cookies') : yn(0)).' ('.$langs->trans("RecommendedValueIs", '1').")
\n";
print "PHP session.cookie_httponly = ".(ini_get('session.cookie_httponly') ? ini_get('session.cookie_httponly') : '').' ('.$langs->trans("RecommendedValueIs", '1').")
\n";
-print "PHP session.cookie_samesite = ".(ini_get('session.cookie_samesite') ? ini_get('session.cookie_samesite') : 'None').' ('.$langs->trans("RecommendedValueIs", 'Strict').")
\n";
+print "PHP session.cookie_samesite = ".(ini_get('session.cookie_samesite') ? ini_get('session.cookie_samesite') : 'None');
+if (!ini_get('session.cookie_samesite') || ini_get('session.cookie_samesite') == 'Lax') {
+ print ' ('.$langs->trans("RecommendedValueIs", 'Lax').")";
+} elseif (ini_get('session.cookie_samesite') == 'Strict') {
+ print ' '.img_warning().' '.$langs->trans("WarningPaypalPaymentNotCompatibleWithStrict")."";
+}
+print "
\n";
print "PHP open_basedir = ".(ini_get('open_basedir') ? ini_get('open_basedir') : yn(0).' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("ARestrictedPath").', '.$langs->transnoentitiesnoconv("Example").' '.$_SERVER["DOCUMENT_ROOT"]).')')."
\n";
print "PHP allow_url_fopen = ".(ini_get('allow_url_fopen') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_fopen') : yn(0)).' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")
\n";
print "PHP allow_url_include = ".(ini_get('allow_url_include') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_include') : yn(0)).' ('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")
\n";
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index e55ca5b6e04..deb194de170 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -196,6 +196,7 @@ if (!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) {
if ($csrfattack) {
//print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER'];
// Note: We can't use dol_escape_htmltag here to escape output because lib functions.lib.ph is not yet loaded.
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (Bad referer).", LOG_WARNING);
print "Access refused by CSRF protection in main.inc.php. Referer of form (".htmlentities($_SERVER['HTTP_REFERER'], ENT_COMPAT, 'UTF-8').") is outside the server that serve this page (with method = ".htmlentities($_SERVER['REQUEST_METHOD'], ENT_COMPAT, 'UTF-8').").\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP headers are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file to remove this security check).\n";
die;
diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang
index cb97af5c183..114654aed3f 100644
--- a/htdocs/langs/en_US/errors.lang
+++ b/htdocs/langs/en_US/errors.lang
@@ -265,6 +265,11 @@ ErrorAPercentIsRequired=Error, please fill in the percentage correctly
ErrorYouMustFirstSetupYourChartOfAccount=You must first setup your chart of account
ErrorFailedToFindEmailTemplate=Failed to find template with code name %s
ErrorDurationForServiceNotDefinedCantCalculateHourlyPrice=Duration not defined on service. No way to calculate the hourly price.
+ErrorActionCommPropertyUserowneridNotDefined=User's owner is required
+ErrorActionCommBadType=Selected event type (id: %n, code: %s) do not exist in Event Type dictionary
+CheckVersionFail=Version check fail
+ErrorWrongFileName=Name of the file cannot have __SOMETHING__ in it
+ErrorNotInDictionaryPaymentConditions=Not in Payment Terms Dictionary, please modify.
# Warnings
WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup.
@@ -298,8 +303,5 @@ WarningTheHiddenOptionIsOn=Warning, the hidden option %s is on.
WarningCreateSubAccounts=Warning, you can't create directly a sub account, you must create a third party or an user and assign them an accounting code to find them in this list
WarningAvailableOnlyForHTTPSServers=Available only if using HTTPS secured connection.
WarningModuleXDisabledSoYouMayMissEventHere=Module %s has not been enabled. So you may miss a lot of event here.
-ErrorActionCommPropertyUserowneridNotDefined=User's owner is required
-ErrorActionCommBadType=Selected event type (id: %n, code: %s) do not exist in Event Type dictionary
-CheckVersionFail=Version check fail
-ErrorWrongFileName=Name of the file cannot have __SOMETHING__ in it
-ErrorNotInDictionaryPaymentConditions=Not in Payment Terms Dictionary, please modify.
+WarningPaypalPaymentNotCompatibleWithStrict=The value 'Strict' makes the online payment features not working correctly. Use 'Lax' instead.
+
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 94628b31f9f..9a9d85c053c 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -245,6 +245,7 @@ if (!empty($_SERVER['DOCUMENT_ROOT']) && substr($_SERVER['DOCUMENT_ROOT'], -6) !
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
}
+
// Include the conf.php and functions.lib.php. This defined the constants like DOL_DOCUMENT_ROOT, DOL_DATA_ROOT, DOL_URL_ROOT...
require_once 'filefunc.inc.php';
@@ -286,6 +287,8 @@ $sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
if (!empty($_COOKIE[$sessiontimeout])) {
ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]);
}
+
+
// This create lock, released by session_write_close() or end of page.
// We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished.
if (!defined('NOSESSION')) {
@@ -494,10 +497,11 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
print $langs->trans("ErrorGoBackAndCorrectParameters");
die;
} else {
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided.", LOG_WARNING);
if (defined('CSRFCHECK_WITH_TOKEN')) {
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (CSRFCHECK_WITH_TOKEN protection) in main.inc.php. Token not provided.", LOG_WARNING);
print "Access to a page that needs a token (constant CSRFCHECK_WITH_TOKEN is defined) is refused by CSRF protection in main.inc.php. Token not provided.\n";
} else {
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (POST method or GET with a sensible value for 'action' parameter) in main.inc.php. Token not provided.", LOG_WARNING);
print "Access to this page this way (POST method or GET with a sensible value for 'action' parameter) is refused by CSRF protection in main.inc.php. Token not provided.\n";
print "If you access your server behind a proxy using url rewriting and the parameter is provided by caller, you might check that all HTTP header are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 into setup).\n";
}
@@ -509,7 +513,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
// TODO Get the sessiontokenforthisurl into the array of session token
if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
- dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
+ dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
//if ($conf->global->MAIN_FEATURES_LEVEL >= 1) setEventMessages('Unset POST and GET params by CSRF protection in main.inc.php (Token provided was not generated by the previous page).'."
\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings');