From ac8564dc34f3df651970e31873ab1371b809689b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 21 Jun 2021 13:06:40 +0200 Subject: [PATCH] Fix disable token renewal on .css.php, .js.php and .json.php --- htdocs/main.inc.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 437e024a3ae..2301ca75161 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -413,15 +413,17 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE } // Creation of a token against CSRF vulnerabilities -if (!defined('NOTOKENRENEWAL')) -{ - // Rolling token at each call ($_SESSION['token'] contains token of previous page) - if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; +if (!defined('NOTOKENRENEWAL')) { + // No token renewal on .css.php, .js.php and .json.php + if (!preg_match('/\.(css|js|json)\.php$/', $_SERVER["PHP_SELF"])) { + // Rolling token at each call ($_SESSION['token'] contains token of previous page) + if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; - // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] - $token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number - $_SESSION['newtoken'] = $token; - dol_syslog("NEW TOKEN reclaimed by : " . $_SERVER['PHP_SELF'], LOG_DEBUG); + // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] + $token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number + $_SESSION['newtoken'] = $token; + dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG); + } } //dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']);