Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix pb in token check

Browse Source
This commit is contained in:
Laurent Destailleur 2019-01-15 15:04:15 +01:00
parent 45a24df679
commit d814b66b36
3 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
htdocs/core/ajax/ajaxdirtree.php
View File

@ -31,7 +31,6 @@ if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1');
if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1');
if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1');
if (! isset($mode) || $mode != 'noajax') // For ajax call
{
$res=@include '../../main.inc.php';

5
htdocs/ecm/tpl/enablefiletreeajax.tpl.php
View File

@ -46,7 +46,8 @@ $(document).ready(function() {
$('#filetree').fileTree({
root: '<?php print dol_escape_js($openeddir); ?>',
// Ajax called if we click to expand a dir (not a file). Parameter 'dir' is provided as a POST parameter by fileTree code to this following URL.
script: '<?php echo DOL_URL_ROOT.'/core/ajax/ajaxdirtree.php?token='.urlencode($_SESSION['newtoken']).'&modulepart='.urlencode($module).(empty($preopened)?'':'&preopened='.urlencode($preopened)).'&openeddir='.urlencode($openeddir).(empty($paramwithoutsection)?'':$paramwithoutsection); ?>',
// We must use token=$_SESSION['token'] and not token=$_SESSION['newtoken'] here because ajaxdirtree has NOTOKENRENEWAL define so there is no rollup of token so we must compare with the one valid on main page
script: '<?php echo DOL_URL_ROOT.'/core/ajax/ajaxdirtree.php?token='.urlencode($_SESSION['token']).'&modulepart='.urlencode($module).(empty($preopened)?'':'&preopened='.urlencode($preopened)).'&openeddir='.urlencode($openeddir).(empty($paramwithoutsection)?'':$paramwithoutsection); ?>',
folderEvent: 'click', // 'dblclick'
multiFolder: false },
// Called if we click on a file (not a dir)
@ -90,7 +91,7 @@ function loadandshowpreview(filedirname,section)
{
//alert('filedirname='+filedirname);
//console.log(filedirname);
//console.log(section);
//console.log('loadandshowpreview for section='+section);
$('#ecmfileview').empty();

5
htdocs/main.inc.php
View File

@ -363,6 +363,8 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V
}
}
//var_dump(GETPOST('token').' '.$_SESSION['token'].' - '.$_SESSION['newtoken'].' '.$_SERVER['SCRIPT_FILENAME']);
// Creation of a token against CSRF vulnerabilities
if (! defined('NOTOKENRENEWAL'))
{
@ -373,6 +375,9 @@ if (! defined('NOTOKENRENEWAL'))
$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
$_SESSION['newtoken'] = $token;
}
//var_dump(GETPOST('token').' '.$_SESSION['token'].' - '.$_SESSION['newtoken'].' '.$_SERVER['SCRIPT_FILENAME']);
// Check token
if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set