Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix disable token renewal on .css.php, .js.php and .json.php

Browse Source
This commit is contained in:
Laurent Destailleur 2021-06-21 13:06:40 +02:00
parent 0dc16b135d
commit ac8564dc34
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
htdocs/main.inc.php
View File

@ -413,15 +413,17 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE
}
// Creation of a token against CSRF vulnerabilities
if (!defined('NOTOKENRENEWAL'))
{
// Rolling token at each call ($_SESSION['token'] contains token of previous page)
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
if (!defined('NOTOKENRENEWAL')) {
// No token renewal on .css.php, .js.php and .json.php
if (!preg_match('/\.(css|js|json)\.php$/', $_SERVER["PHP_SELF"])) {
// Rolling token at each call ($_SESSION['token'] contains token of previous page)
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
dol_syslog("NEW TOKEN reclaimed by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
}
}
//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']);