Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add the anti-csrf-token into header

Browse Source
This commit is contained in:
Laurent Destailleur 2022-08-10 22:24:45 +02:00
parent 9b58b61d60
commit c1bea1b1e4
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/main.inc.php
View File

@ -536,7 +536,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
}
// Check a token is provided for all cases that need a mandatory token
// (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
// (all POST actions + all sensitive GET actions + all mass actions + all login/actions/logout on pages with CSRFCHECK_WITH_TOKEN set)
if (
$_SERVER['REQUEST_METHOD'] == 'POST' ||
$sensitiveget ||
@ -1458,6 +1458,7 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
if ($forcenocache) {
header("Cache-Control: no-cache, no-store, must-revalidate, max-age=0");
}
header("anti-csrf-token: ".newToken());
}
/**

5
htdocs/user/logout.php
View File

@ -33,6 +33,11 @@ if (!defined('NOREQUIREHTML')) {
if (!defined('NOREQUIREAJAX')) {
define('NOREQUIREAJAX', '1');
}
/* We do now force CSRF check so we can logout using logout.php page (required for DoliDroid for example)
if (!defined('CSRFCHECK_WITH_TOKEN')) {
define('CSRFCHECK_WITH_TOKEN', '1');
}
*/
//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // We need company to get correct logo onto home page
if (!defined('EVEN_IF_ONLY_LOGIN_ALLOWED')) {
define('EVEN_IF_ONLY_LOGIN_ALLOWED', '1');