Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable by default the test on anti CSRF token

Browse Source
This commit is contained in:
Laurent Destailleur 2018-12-22 18:09:26 +01:00
parent 6c54ea925b
commit a5dccd1cc3
3 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/class/html.form.class.php
View File

@ -3991,7 +3991,7 @@ class Form
closeOnEscape: false,
buttons: {
"'.dol_escape_js($langs->transnoentities("Yes")).'": function() {
var options = "token='.urlencode($_SESSION['newtoken']).'";
var options = "&token='.urlencode($_SESSION['newtoken']).'";
var inputok = '.json_encode($inputok).';
var pageyes = "'.dol_escape_js(! empty($pageyes)?$pageyes:'').'";
if (inputok.length>0) {
@ -4010,7 +4010,7 @@ class Form
$(this).dialog("close");
},
"'.dol_escape_js($langs->transnoentities("No")).'": function() {
var options = "token='.urlencode($_SESSION['newtoken']).'";
var options = "&token='.urlencode($_SESSION['newtoken']).'";
var inputko = '.json_encode($inputko).';
var pageno="'.dol_escape_js(! empty($pageno)?$pageno:'').'";
if (inputko.length>0) {
@ -4049,7 +4049,7 @@ class Form
if (empty($disableformtag)) $formconfirm.= '<form method="POST" action="'.$page.'" class="notoptoleftroright">'."\n";
$formconfirm.= '<input type="hidden" name="action" value="'.$action.'">'."\n";
if (empty($disableformtag)) $formconfirm.= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'."\n";
$formconfirm.= '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'."\n";
$formconfirm.= '<table width="100%" class="valid">'."\n";

19
htdocs/main.inc.php
View File

@ -373,24 +373,27 @@ if (! defined('NOTOKENRENEWAL'))
$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
}
// Check token
if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
{
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOST('token','alpha')) // Note, offender can still send request by GET
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOSTISSET('token')) // Note, offender can still send request by GET
{
print "Access refused by CSRF protection in main.inc.php. Token not provided.\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
die;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token'].
//if ($_SERVER['REQUEST_METHOD'] === 'POST') // This test must be after loading $_SESSION['token'].
//{
if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $_SESSION['token'])
{
if (GETPOST('token', 'alpha') != $_SESSION['token'])
{
dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action','aZ09').", _POST['token']=".GETPOST('token','alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
unset($_POST);
}
dol_syslog("Invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action','aZ09').", _GET|POST['token']=".GETPOST('token','alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
unset($_POST);
unset($_GET['confirm']);
}
//}
}
// Disable modules (this must be after session_start and after conf has been loaded)

14
htdocs/user/card.php
View File

@ -145,15 +145,25 @@ if (empty($reshook)) {
}
}
if ($action == 'confirm_delete' && $confirm == "yes" && $candisableuser) {
if ($id <> $user->id) {
if ($action == 'confirm_delete' && $confirm == "yes" && $candisableuser)
{
if ($id <> $user->id)
{
if (! GETPOSTISSET('token'))
{
print 'Error, token required for this critical operation';
exit;
}
$object = new User($db);
$object->fetch($id);
$result = $object->delete($user);
if ($result < 0) {
$langs->load("errors");
setEventMessages($langs->trans("ErrorUserCannotBeDelete"), null, 'errors');
} else {
setEventMessages($langs->trans("RecordDeleted"), null);
header("Location: ".DOL_URL_ROOT."/user/list.php?restore_lastsearch_values=1");
exit;
}