Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix missing token in POST

Browse Source
This commit is contained in:
Laurent Destailleur 2019-01-15 13:55:14 +01:00
parent 0f2406c202
commit ebf3ea39bf
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/ecm/tpl/enablefiletreeajax.tpl.php
View File

@ -46,7 +46,7 @@ $(document).ready(function() {
$('#filetree').fileTree({
root: '<?php print dol_escape_js($openeddir); ?>',
// Ajax called if we click to expand a dir (not a file). Parameter 'dir' is provided as a POST parameter by fileTree code to this following URL.
script: '<?php echo DOL_URL_ROOT.'/core/ajax/ajaxdirtree.php?modulepart='.$module.(empty($preopened)?'':'&preopened='.urlencode($preopened)).'&openeddir='.urlencode($openeddir).(empty($paramwithoutsection)?'':$paramwithoutsection); ?>',
script: '<?php echo DOL_URL_ROOT.'/core/ajax/ajaxdirtree.php?token='.urlencode($_SESSION['newtoken']).'&modulepart='.urlencode($module).(empty($preopened)?'':'&preopened='.urlencode($preopened)).'&openeddir='.urlencode($openeddir).(empty($paramwithoutsection)?'':$paramwithoutsection); ?>',
folderEvent: 'click', // 'dblclick'
multiFolder: false },
// Called if we click on a file (not a dir)

2
htdocs/main.inc.php
View File

@ -379,7 +379,7 @@ if ((! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && ! empty($conf->
{
if ($_SERVER['REQUEST_METHOD'] == 'POST' && ! GETPOSTISSET('token')) // Note, offender can still send request by GET
{
print "Access refused by CSRF protection in main.inc.php. Token not provided.\n";
print "Access by POST method refused by CSRF protection in main.inc.php. Token not provided.\n";
print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n";
die;
}