Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add a mode MAIN_SECURITY_CSRF_WITH_TOKEN = 2

Browse Source
This commit is contained in:
Laurent Destailleur 2021-09-19 14:49:11 +02:00
parent 5c8fb38426
commit 4d563651fa
1 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
htdocs/main.inc.php
View File

@ -460,22 +460,25 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha'));
// Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page
if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) || defined('CSRFCHECK_WITH_TOKEN')) {
if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN')) || defined('CSRFCHECK_WITH_TOKEN')) {
// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
$arrayofactiontoforcetokencheck = array(
'activate', 'add', 'addrights', 'addtimespent',
'doprev', 'donext', 'dvprev', 'dvnext',
'install',
'reopen'
);
$sensitiveget = false;
if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) {
if (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') == 2) {
$sensitiveget = true;
} else {
$arrayofactiontoforcetokencheck = array(
'activate', 'add', 'addrights', 'addtimespent',
'doprev', 'donext', 'dvprev', 'dvnext',
'install',
'reopen'
);
if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) {
$sensitiveget = true;
}
if (preg_match('/^(classify|close|confirm|del|disable|enable|remove|set|update)/', GETPOST('action', 'aZ09'))) {
$sensitiveget = true;
}
}
if (preg_match('/^(classify|close|confirm|del|disable|enable|remove|set|update)/', GETPOST('action', 'aZ09'))) {
$sensitiveget = true;
}
// Check a token is provided for all cases that need a mandatory token
// (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
if (